Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
489
Views
0
Helpful
7
Replies

c837 Split-Tunnel problem

larry
Level 1
Level 1

‎06-10-2005 09:01 AM - edited ‎03-09-2019 11:32 AM

Hello. I am running IOS 12.4(1) on a new 837 router. VPN clients can connect and access internal network. However I cannot seem to get split-tunnel working.

837 has single static public IP. I am static NATing some ports to internal servers. I have IP pool and the split-tunnel ACL in ISAKMP client config group and am not NATing IP pool in route-map.

VPN clients are v4.5.x & v4.6.x. Traceroutes from all clients indicate all traffic to Internet is routing through tunnel -- no split-tunnel functionality.

Config file (837.txt) is attached. Thanks in advance for your assistance!

Labels:
Preview file
5 KB
0 Helpful
7 Replies 7

rooter_c
Level 1
Level 1

‎06-20-2005 10:17 PM

My access list goes like this.

ip access-list extended vpnaccess

permit ip 192.168.1.0 0.0.0.255 172.16.23.0 0.0.0.255

where 192.168.1.x is my lan subnet and 172.16.23.x is my ippool

everything else looks much like yours except I think your vpn clients won't be able to get to those ports that you have static nat's on.

0 Helpful

larry
Level 1
Level 1
In response to rooter_c

‎06-21-2005 08:01 AM

Thanks Rooter. I'm out of town until Friday (24 June), but will try your suggestion Saturday & let you know here.

I've seen examples of split-tunnel ACLs permitting local LAN to only to the IP pool and others to any.

0 Helpful

larry
Level 1
Level 1
In response to rooter_c

‎06-23-2005 04:54 PM

Rooter, it didn't work. I applied the ACL as you described with my IP segment info, and more importantly, my VPN IP Pool.

The status is the same where the VPN tunnel works, but I cannot get Split Tunnel to work.

0 Helpful

rooter_c
Level 1
Level 1
In response to larry

‎06-23-2005 05:15 PM

when you say no split tunnel, what can't you get to exactly?

0 Helpful

larry
Level 1
Level 1
In response to rooter_c

‎06-24-2005 07:41 AM

Hi Rooter --

The Windows "route print" on the PC running VPN Client, shows the remote network gateway AND the VPN IP Pool IP as the gateway for all the segments. When the tunnel is disconnected, I only have the remote network gateway which I would expect. As soon as the VPN is established, it becomes the precedent gateway for every network.

Also when I tracert to hosts and IPs that are on the Internet vs. private LAN, it still attempts to route through the tunnel.

-- Larry

0 Helpful

rooter_c
Level 1
Level 1
In response to larry

‎06-27-2005 02:55 PM

Have you tried it without the "reverse-route"? I haven't used that before, but it looks like it populates your routing table, maybe conflicts with the split tunnel settings.?

0 Helpful

larry
Level 1
Level 1
In response to rooter_c

‎07-02-2005 07:35 PM

I removed the reverse-route with no change in status. IOS v12.4.2T was issued with some caveat discussion about split-tunnel corrections. I tried v12.4.2T too with no change. I then tried several of the v12.3 releases with no change.

The route print continues to show two gateways for the 0.0.0.0 path and tracert continues to reach any host via tunnel.

I'm growing suspicious of the static NAT causing conflict and will experiment with that next I suppose.

0 Helpful
Customers Also Viewed These Support Documents