cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
266
Views
0
Helpful
2
Replies

PIX506 with 6.1(2) and VPN Client 3.5x can not get split-tunnel to work

jcowtan
Beginner
Beginner

Before I add split-tunnel to the config, VPN client can access internal network but can not browse internet through their proxy. Proxy can be ping'd. Route was added for VPN subnet to point back to PIX.

When I had split-tunnel, VPN client can no longer access internal network!!!

I have placed the configuration here for review. I have reviewed it with examples and can not see where I went wrong.

Building configuration...

: Saved

:

PIX Version 6.1(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password 1J4AUgl4pqf/4txW encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname MRM-PIX

domain-name MRM.MB.CA

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

access-list acl_out permit tcp any host 206.45.216.36 eq 445

..

..

!---- access is needed to a number of internal networks

access-list 101 permit ip 10.0.0.0 255.0.0.0 192.168.15.0 255.255.255.0

access-list 101 permit ip 204.112.131.0 255.255.255.0 192.168.15.0 255.255.255.0

access-list 101 permit ip 204.112.136.0 255.255.255.0 192.168.15.0 255.255.255.0

access-list 101 permit ip 192.168.160.0 255.255.255.0 192.168.15.0 255.255.255.0

access-list 101 permit ip 192.168.170.0 255.255.255.0 192.168.15.0 255.255.255.0

access-list 101 permit ip 192.168.180.0 255.255.255.0 192.168.15.0 255.255.255.0

pager lines 24

interface ethernet0 10baset

interface ethernet1 10baset

mtu outside 1452

mtu inside 1452

ip address outside 206.45.216.34 255.255.255.224

ip address inside 10.11.13.1 255.0.0.0

ip audit info action alarm

ip audit attack action alarm

ip local pool clientpool 192.168.15.1-192.168.15.24

pdm history enable

arp timeout 14400

global (outside) 1 206.45.216.35

nat (inside) 0 access-list 101

nat (inside) 1 10.12.54.1 255.255.255.255 0 0

static (inside,outside) 206.45.216.36 10.11.41.16 netmask 255.255.255.255 0 0

.

.

access-group acl_out in interface outside

route outside 0.0.0.0 0.0.0.0 206.45.216.33 1

route inside 192.168.160.0 255.255.255.0 10.11.11.1 1

route inside 192.168.170.0 255.255.255.0 10.11.11.1 1

route inside 192.168.180.0 255.255.255.0 10.11.11.1 1

route inside 204.112.91.0 255.255.255.0 10.11.11.1 1

route inside 204.112.131.0 255.255.255.0 10.11.11.1 1

route inside 204.112.136.0 255.255.255.0 10.11.11.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si

p 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto dynamic-map dynmap 10 set transform-set myset

crypto map mymap 10 ipsec-isakmp dynamic dynmap

crypto map mymap interface outside

isakmp enable outside

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

vpngroup vpnuser1 address-pool clientpool

vpngroup vpnuser1 dns-server 10.11.41.16 10.11.41.2

vpngroup vpnuser1 wins-server 10.11.41.4 204.112.131.100

vpngroup vpnuser1 default-domain MRM.MB.CA

vpngroup vpnuser1 split-tunnel 101

vpngroup vpnuser1 idle-time 1800

vpngroup vpnuser1 password ********

telnet 10.0.0.0 255.0.0.0 inside

telnet timeout 5

ssh timeout 5

terminal width 80

Cryptochecksum:c50fde1b81b8532dfbe1053d998fcc01

: end

[OK]

2 Replies 2

edadios
Cisco Employee
Cisco Employee

try to do

no crypto map mymap interface outside

no isakmp enable outside

then do

crypto map mymap interface outside

isakmp enable outside

and connect again.

Whenever making changes to the ipsec parameters, access-list on the pix, you should disable the crypto map before making the changes then enable it to effect the change.

Regards,

We have tried your suggestion but find that we still have the same problem.

When the split-tunnel is enabled, we can not ping nor access devices on the internal networks. When we querry our client network configuration we see our DNS is the internal one. When we try to browse the internet (split-tunnel enabled), we can not access sites by name. We can ping IP external addresses but can not bring up HTTP pages.

Any ideas?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers