Showing results for 
Search instead for 
Did you mean: 

PIX506 with 6.1(2) and VPN Client 3.5x can not get split-tunnel to work


Before I add split-tunnel to the config, VPN client can access internal network but can not browse internet through their proxy. Proxy can be ping'd. Route was added for VPN subnet to point back to PIX.

When I had split-tunnel, VPN client can no longer access internal network!!!

I have placed the configuration here for review. I have reviewed it with examples and can not see where I went wrong.

Building configuration...

: Saved


PIX Version 6.1(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password 1J4AUgl4pqf/4txW encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname MRM-PIX

domain-name MRM.MB.CA

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000


access-list acl_out permit tcp any host eq 445



!---- access is needed to a number of internal networks

access-list 101 permit ip

access-list 101 permit ip

access-list 101 permit ip

access-list 101 permit ip

access-list 101 permit ip

access-list 101 permit ip

pager lines 24

interface ethernet0 10baset

interface ethernet1 10baset

mtu outside 1452

mtu inside 1452

ip address outside

ip address inside

ip audit info action alarm

ip audit attack action alarm

ip local pool clientpool

pdm history enable

arp timeout 14400

global (outside) 1

nat (inside) 0 access-list 101

nat (inside) 1 0 0

static (inside,outside) netmask 0 0



access-group acl_out in interface outside

route outside 1

route inside 1

route inside 1

route inside 1

route inside 1

route inside 1

route inside 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si

p 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto dynamic-map dynmap 10 set transform-set myset

crypto map mymap 10 ipsec-isakmp dynamic dynmap

crypto map mymap interface outside

isakmp enable outside

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

vpngroup vpnuser1 address-pool clientpool

vpngroup vpnuser1 dns-server

vpngroup vpnuser1 wins-server

vpngroup vpnuser1 default-domain MRM.MB.CA

vpngroup vpnuser1 split-tunnel 101

vpngroup vpnuser1 idle-time 1800

vpngroup vpnuser1 password ********

telnet inside

telnet timeout 5

ssh timeout 5

terminal width 80


: end


2 Replies 2

Cisco Employee
Cisco Employee

try to do

no crypto map mymap interface outside

no isakmp enable outside

then do

crypto map mymap interface outside

isakmp enable outside

and connect again.

Whenever making changes to the ipsec parameters, access-list on the pix, you should disable the crypto map before making the changes then enable it to effect the change.


We have tried your suggestion but find that we still have the same problem.

When the split-tunnel is enabled, we can not ping nor access devices on the internal networks. When we querry our client network configuration we see our DNS is the internal one. When we try to browse the internet (split-tunnel enabled), we can not access sites by name. We can ping IP external addresses but can not bring up HTTP pages.

Any ideas?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers