PIX ASA 5520 VPN Split-Tunneling problem

Unanswered Question
Jul 30th, 2007
User Badges:

New Site installation of PIX ASA 5520 - Remote VPN clients authenticate and have access to internal network, with IP derived from internal IP pool. When a remote web site requires IP authentication and is added to split tunneling, the user cannot contact the site. Remove the site from split tunneling and they can contact the site, but are refused (IP authentication) because they are not using the tunnel and are therefore, not using an internal network IP, but the IP from their local ISP.

thanks for any help

[email protected]

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
acomiskey Mon, 07/30/2007 - 09:49
User Badges:
  • Green, 3000 points or more

Would nating the remote clients to the outside interface of the ASA get you past the authentication? Where is the server which requires authentication located, inside or outside of ASA?

robertnedved Mon, 07/30/2007 - 10:09
User Badges:

all servers that require IP authentication are OUTSIDE the PIX. Remote user tunnel is into the OUTSIDE interface and with split tunneling the request must return thru the OUTSIDE interface. If they don't use split tunneling the request emminates from their remote PC thru their ISP and successfully reaches the outside host, but the source IP won't authenticate.

I suppose the biggest question I have (lucent background) is where exactly "in the greater scheme of things" does a vpn client reside (ie-the tunnel end point).


purohit_810 Mon, 07/30/2007 - 10:15
User Badges:
  • Silver, 250 points or more

Hi Robert,

You can use below document and troubleshooting mathod.

Still you have problem please give me LOG and configuration:


Dharmesh Purohit

acomiskey Mon, 07/30/2007 - 10:24
User Badges:
  • Green, 3000 points or more

There is another option other than split tunneling. Take a look here...


You can tunnel all traffic and nat the remote clients on the outside of the ASA. Therefore the source address of the request to the server would be from your main site, not the remote site. The .doc is for remote access vpn clients but is the same for lan 2 lan.

robertnedved Tue, 07/31/2007 - 07:11
User Badges:

to all who responded to this: thanks for the suggestions. Turned out adding new :Hair-Pin config:

same-security-traffic permit intra-interface


clicking on asdm vpn setup - Permit communication between vpn peers.....

solved the problem

This allows tunnel traffic to exit the same interface it entered.

thanks again


This Discussion