Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1133
Views
0
Helpful
5
Replies

PIX ASA 5520 VPN Split-Tunneling problem

robertnedved
Level 1
Level 1

‎07-30-2007 08:29 AM

New Site installation of PIX ASA 5520 - Remote VPN clients authenticate and have access to internal network, with IP derived from internal IP pool. When a remote web site requires IP authentication and is added to split tunneling, the user cannot contact the site. Remove the site from split tunneling and they can contact the site, but are refused (IP authentication) because they are not using the tunnel and are therefore, not using an internal network IP, but the IP from their local ISP.

thanks for any help

robert.nedved@noaa.gov

Labels:
0 Helpful
5 Replies 5

acomiskey
Level 10
Level 10

‎07-30-2007 09:49 AM

Would nating the remote clients to the outside interface of the ASA get you past the authentication? Where is the server which requires authentication located, inside or outside of ASA?

0 Helpful

robertnedved
Level 1
Level 1
In response to acomiskey

‎07-30-2007 10:09 AM

all servers that require IP authentication are OUTSIDE the PIX. Remote user tunnel is into the OUTSIDE interface and with split tunneling the request must return thru the OUTSIDE interface. If they don't use split tunneling the request emminates from their remote PC thru their ISP and successfully reaches the outside host, but the source IP won't authenticate.

I suppose the biggest question I have (lucent background) is where exactly "in the greater scheme of things" does a vpn client reside (ie-the tunnel end point).

\thanks

0 Helpful

purohit_810
Level 5
Level 5

‎07-30-2007 10:15 AM

Hi Robert,

You can use below document and troubleshooting mathod.

Still you have problem please give me LOG and configuration:

Regards,

Dharmesh Purohit

0 Helpful

acomiskey
Level 10
Level 10
In response to purohit_810

‎07-30-2007 10:24 AM

There is another option other than split tunneling. Take a look here...

http://cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00805734ae.shtml

You can tunnel all traffic and nat the remote clients on the outside of the ASA. Therefore the source address of the request to the server would be from your main site, not the remote site. The .doc is for remote access vpn clients but is the same for lan 2 lan.

0 Helpful

robertnedved
Level 1
Level 1

‎07-31-2007 07:11 AM

to all who responded to this: thanks for the suggestions. Turned out adding new :Hair-Pin config:

same-security-traffic permit intra-interface

or

clicking on asdm vpn setup - Permit communication between vpn peers.....

solved the problem

This allows tunnel traffic to exit the same interface it entered.

thanks again

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents