07-25-2002 12:26 PM - edited 02-21-2020 11:57 AM
Before I add split-tunnel to the config, VPN client can access internal network but can not browse internet through their proxy. Proxy can be ping'd. Route was added for VPN subnet to point back to PIX.
When I had split-tunnel, VPN client can no longer access internal network!!!
I have placed the configuration here for review. I have reviewed it with examples and can not see where I went wrong.
Building configuration...
: Saved
:
PIX Version 6.1(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 1J4AUgl4pqf/4txW encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname MRM-PIX
domain-name MRM.MB.CA
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list acl_out permit tcp any host 206.45.216.36 eq 445
..
..
!---- access is needed to a number of internal networks
access-list 101 permit ip 10.0.0.0 255.0.0.0 192.168.15.0 255.255.255.0
access-list 101 permit ip 204.112.131.0 255.255.255.0 192.168.15.0 255.255.255.0
access-list 101 permit ip 204.112.136.0 255.255.255.0 192.168.15.0 255.255.255.0
access-list 101 permit ip 192.168.160.0 255.255.255.0 192.168.15.0 255.255.255.0
access-list 101 permit ip 192.168.170.0 255.255.255.0 192.168.15.0 255.255.255.0
access-list 101 permit ip 192.168.180.0 255.255.255.0 192.168.15.0 255.255.255.0
pager lines 24
interface ethernet0 10baset
interface ethernet1 10baset
mtu outside 1452
mtu inside 1452
ip address outside 206.45.216.34 255.255.255.224
ip address inside 10.11.13.1 255.0.0.0
ip audit info action alarm
ip audit attack action alarm
ip local pool clientpool 192.168.15.1-192.168.15.24
pdm history enable
arp timeout 14400
global (outside) 1 206.45.216.35
nat (inside) 0 access-list 101
nat (inside) 1 10.12.54.1 255.255.255.255 0 0
static (inside,outside) 206.45.216.36 10.11.41.16 netmask 255.255.255.255 0 0
.
.
access-group acl_out in interface outside
route outside 0.0.0.0 0.0.0.0 206.45.216.33 1
route inside 192.168.160.0 255.255.255.0 10.11.11.1 1
route inside 192.168.170.0 255.255.255.0 10.11.11.1 1
route inside 192.168.180.0 255.255.255.0 10.11.11.1 1
route inside 204.112.91.0 255.255.255.0 10.11.11.1 1
route inside 204.112.131.0 255.255.255.0 10.11.11.1 1
route inside 204.112.136.0 255.255.255.0 10.11.11.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup vpnuser1 address-pool clientpool
vpngroup vpnuser1 dns-server 10.11.41.16 10.11.41.2
vpngroup vpnuser1 wins-server 10.11.41.4 204.112.131.100
vpngroup vpnuser1 default-domain MRM.MB.CA
vpngroup vpnuser1 split-tunnel 101
vpngroup vpnuser1 idle-time 1800
vpngroup vpnuser1 password ********
telnet 10.0.0.0 255.0.0.0 inside
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:c50fde1b81b8532dfbe1053d998fcc01
: end
[OK]
07-25-2002 03:03 PM
try to do
no crypto map mymap interface outside
no isakmp enable outside
then do
crypto map mymap interface outside
isakmp enable outside
and connect again.
Whenever making changes to the ipsec parameters, access-list on the pix, you should disable the crypto map before making the changes then enable it to effect the change.
Regards,
07-26-2002 11:09 AM
We have tried your suggestion but find that we still have the same problem.
When the split-tunnel is enabled, we can not ping nor access devices on the internal networks. When we querry our client network configuration we see our DNS is the internal one. When we try to browse the internet (split-tunnel enabled), we can not access sites by name. We can ping IP external addresses but can not bring up HTTP pages.
Any ideas?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide