Re: Split-tunnel breaks VPN connectivity

adushey · ‎05-05-2002

Here's the config

INET------>PIX--10.252.X.X---->IOS ROUTER--10.X.X.X--LAN

1st I had the routing issue which I corrected on the router and was able to ping when I removed the split tunnel command. Then when I add the split tunnel command the ACL 101's networks show up in the client but with no key and I can no longer Ping. I can get to the outside though.

Any ideas?

PIX Version 6.2(1)

access-list 101 permit ip 10.252.0.0 255.255.0.0 10.11.0.0 255.255.0.0

access-list 101 permit ip 10.1.0.0 255.255.0.0 10.11.0.0 255.255.0.0

access-list 101 permit ip 10.3.0.0 255.255.0.0 10.11.0.0 255.255.0.0

pager lines 24

nat (inside) 0 access-list 101

nat (inside) 1 10.0.0.0 255.0.0.0 0 0

aaa-server vpn protocol tacacs+

aaa-server vpn (inside) host xxxxx

aaa authentication telnet console other

http server enable

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto dynamic-map dynmap 10 set transform-set myset

crypto map mymap 10 ipsec-isakmp dynamic dynmap

crypto map mymap client authentication vpn

crypto map mymap interface outside

isakmp enable outside

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup vpnpix address-pool ippool

vpngroup vpnpix wins-server 10.1.10.11

vpngroup vpnpix idle-time 1800

vpngroup vpnpix password

vpngroup vpnpix split-tunnel 101

rhedwards · ‎05-08-2002

You might want to try and use two access lists one for the nat and one for split tunneling. I have found using a pix for vpn. creating multiple access list works best. keep 101 for your nat statement. Then use 102 possibly for split tunneling

rdennis · ‎05-09-2002

Where is your isakmp key statement

anavarro · ‎05-09-2002

Try adding ICMP to access list