Re: PIX 6.3 and Cisco VPN Client 4.0.1

afliger · ‎06-04-2003

I am having difficulty getting split-tunnel to work with VPN Client 4.0.1 to PIX 6.3 connections. If I do not use split-tunneling, the client has complete access to the remote LAN but no local LAN connectivity. If I add the vpngroup xxx split-tunnel command (acl-vpn permit ip inside_net /24ip pool ip range/24 + acl-vpn permit ip inside_net/24 remote network/24), packets will not encrypt or decrypt (only bypass) on the client, and the "local lan access" shows as disabled in the client stats. Is there something new about the 4.0.1 VPN clients configuration on the PIX? Does anyone have a sample config for split-tunneling with all this most recent software?

TIA - drud

jsivulka · ‎06-10-2003

You should refer to bug CSCea76011 that documents the problem described by you, ie problems with IPSec with Split tunneling on certain machines. As per the bug, the problem has been resolved and you should be seeing a fix pretty soon.

afliger · ‎06-10-2003

Thank you for your reply.

I have the Client 4.0.1 which states that this caveat was resolved:

"IPSec over TCP and/or Split tunneling does not work on certain machines. This issue is the same as CSCdz51629, and CSCdy80016. For example, using a Sierra SMC2632W wireless card, and building a VPN tunnel to a PIX firewall, if split-tunneling is used, then no SAs are built for the networks in the split tunnel list, resulting in no traffic flow over the tunnel"

Perhaps my config is wrong?

ip local pool

nat (inside) 0 access-list nonat

access-list nonat permit ip inside_net 255.255.255.0 255.255.255.0

vpngroup vpn-1 split-tunnel nonat