Re: VPN connection with split tunneling and PAT

j.joe · ‎10-31-2001

Dear all,

Need your advise. I want to implement a VPN connection from client PC to PIX 515. My client PC is using PAT to access to the internet and I want my client PC to be able to access to internet and my VPN at the same time (split-tunnel??)

Must I use VPN Client 3.x with IPSec configuration at my PIX 515 to make this workable?

cjacinto · ‎11-05-2001

Split tunnelling could be done, but communicating to a concentrator behind a PAT device at the moment may not work, as the PIX doesn't support IPSec thru NAT as yet, see CSCdv32490. You have to have the PC infront of the PAT device.

jgizel · ‎11-06-2001

I have this working, but

1. You must use NAT

2. You must use the VPN Client 3.x and configure the VPN group on the pix for split tunnel (e.g. vpngroup mygroup split-tunnel mylist)

j.joe · ‎11-06-2001

That's mean I cannot use PAT but NAT at the client side? BTW, Can you show me your sample to configure your PIX? I found here having problem to access to Outlook/Exchange and file sharing.

pdentico · ‎11-07-2001

Whether you use NAT or PAT seems to be irrelevant. The PIX is the device that doesn't support the NAT or PAT, not the client. I've found that the client will not work behind any type of firewall. I've tried it behind Checkpoint(4.0 & 4.1), Several PIX's, and Dlink(home version).

The only thing that seems to work is being behind a "router" doing NAT. It works quite well with the Linksys products and I would assume similar products as well. As long as you only try connecting one PC at a time to the VPN.

And yes you need the split-tunnel command to connect to VPN and Internet.

jgizel · ‎11-07-2001

NAT and PAT currently is Relevant. It is true, that the limitation is currently the PIX not supporting the client's NAT feature. But, I have found the client works fine behind a PIX 5xx running older software and newer software. You have to enable inbound protocol 50 and UDP port 500 from the remote end's IP address.