Solved: Re: Reverse Route Injection

rezon · ‎12-20-2007

My PIX firewall is VPN headend device. It is located behind C1721 router. I have to customize VPN remote access without splitting tunnel network. It is work OK if I try to connect from VPN client located between PIX and C1721. If I try to connect from external VPN client located before C1721 then it work without access to internal resources. But it work OK if I use possibility of splitting tunnel network. I switched on possibility of Reverse Route Injection. Help to localize a mistake, please. What is wrong?

kaachary · ‎12-25-2007

If you are talking about accessing the Internal LAN behind PIX from the clients, there's no way it will NOT work without split tunnel, if it works with split tunnel.

Could you please paste a n/w diagram and relevant part of PIX and router config.

View solution in original post

Alan Huseyin Kayahan · ‎12-24-2007

Hi Andrey

Make sure following exists in firewall config

crrypto isakmp nat-traversal 20

Regards

rezon · ‎12-24-2007

It exist in my config.

External client can not access to internal resources if I include for group policy the following attributes:

"split-tunnel-policy tunnelall"

"split-tunnel-network-list none".

I should specify - external client receive access to Internet through VPN connection.

kaachary · ‎12-25-2007

If you are talking about accessing the Internal LAN behind PIX from the clients, there's no way it will NOT work without split tunnel, if it works with split tunnel.

Could you please paste a n/w diagram and relevant part of PIX and router config.

rezon · ‎12-26-2007

Please, see PDF-files in attachment.

You will find network diagram and configuration files for Cisco's devices.

rezon · ‎12-28-2007

Thanks for all. I found the mistake in configuration of C1721.

It was wrong destination port for IPSec over UDP.