Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
639
Views
0
Helpful
7
Replies

Split Tunnel Problem

john-morales
Level 1
Level 1

‎03-16-2005 02:11 PM - edited ‎03-09-2019 10:39 AM

I have a 506e at main site and at the 2 remote sites I employ 501's, the 2 remote sites connect to the main site via VPN. Now until recently everything has worked. Users at each remote site were able to connect to the main site via the VPN and connect to corp. server. The users at the remote sites were also able to browse the internet.

Now the users at the both remote sites can connect via VPN to main site, but they are now unable to browse th internet. Since I maintain the firewalls, I know that the configs have not changed.

So where do I begin, or any suggestions on how to trouble shoot?

Again my problem is not VPN related, that works. But browsing the internet is not working.

Thanks

Labels:
0 Helpful
7 Replies 7

rolandshum
Level 1
Level 1

‎03-17-2005 07:34 AM

Do you have routers behind the remote site firewalls? Do all the workstations use the inside interface on the Pix as the default gateway?

I'm asking because while the Pix may not have changed something behind your firewalls might have. The ACL for the split tunnels might need to be updated.

0 Helpful

john-morales
Level 1
Level 1
In response to rolandshum

‎03-17-2005 05:41 PM

Yes there are routers, but since the remote sites are using sbc dsl, they are more like dsl modems.

The pix are configured to log on to the sbc site.

All the workstations do use the inside interface of the Pix as the default gateway.

Thanks

0 Helpful

layer9
Level 1
Level 1

‎03-17-2005 08:25 PM

One thing I would suspect is DNS. Whose DNS do you use. Your ISP? Or Internal DNS. Are users able to acces the right DNS servers? I would start there. Make sure that they can PING their respective DNS servers.

Since you are confident NOTHING has changed on the IPSEC tunnel or ACL's, then I would suspect a DNS issue.

Regards

Chris Weber CCDP

cw@layer9corp.com

0 Helpful

john-morales
Level 1
Level 1
In response to layer9

‎03-17-2005 09:37 PM

I am using the ISP DNS, but when I try to ping ISP DNS, I am unable to ping them. But if I disconnect the PIX from the network and use the sbc software to logon to the internet, I get the same DNS servers (ISP's) and I am then able to access the internet. This is PC to sbc router/modem with sbc software.

Thanks

0 Helpful

Jean-Noel Poulet
Level 1
Level 1
In response to john-morales

‎03-18-2005 03:11 PM

Can you post your pix 506 config ?

It will make easier to help you...

0 Helpful

john-morales
Level 1
Level 1
In response to Jean-Noel Poulet

‎03-21-2005 09:06 AM

501 pix config.

I am "x'ing" out the public ip's, and logon names for securiy purposes.

First is the remote pix(501) config:

PIX Version 6.3(3)

interface ethernet0 10baset

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxxx

passwd xxxx

hostname naperville

domain-name mca.uucp

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside pppoe setroute

ip address inside 192.168.4.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 192.168.4.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet 192.168.4.0 255.255.255.0 inside

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 5

console timeout 0

vpdn group pppoe-sbc request dialout pppoe

vpdn group pppoe-sbc localname xxxx@xxxx.net

vpdn group pppoe-sbc ppp authentication pap

vpdn username xxxx@xxxx.net password *********

dhcpd address 192.168.4.100-192.168.4.131 inside

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

dhcpd enable inside

vpnclient server x.x.x.x

vpnclient mode network-extension-mode

vpnclient vpngroup mcagroup password ********

vpnclient enable

terminal width 80

0 Helpful

john-morales
Level 1
Level 1
In response to Jean-Noel Poulet

‎03-21-2005 09:08 AM

Ok, now here is the 506 pix config:

PIX Version 6.3(3)

interface ethernet0 auto

interface ethernet1 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxxx

passwd xxxx

hostname Pix01

domain-name mca.uucp

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0

access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0

access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside x.x.x.x 255.255.255.128

ip address inside 192.168.1.254 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool mcapool 10.0.0.1-10.0.0.254

pdm history enable

arp timeout 14400

global (outside) 1 x.x.x.x

nat (inside) 0 access-list 101

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

access-group 101 in interface outside

route outside 0.0.0.0 0.0.0.0 x.x.x.x 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set mcaset esp-des esp-md5-hmac

crypto dynamic-map dynmap 10 set transform-set mcaset

crypto map mcamap 10 ipsec-isakmp dynamic dynmap

crypto map mcamap interface outside

isakmp enable outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup mcagroup address-pool mcapool

vpngroup mcagroup split-tunnel 101

vpngroup mcagroup idle-time 1800

vpngroup mcagroup password ********

telnet 192.168.1.0 255.255.255.0 inside

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 5

console timeout 0

terminal width 80

0 Helpful
Customers Also Viewed These Support Documents