Routing issue

Answered Question
Sep 11th, 2007
User Badges:

Good day,

VPN Client issue here. User authenticates agains the firewall(gets IP from a pool) and can access everything fine and dandy on the directly connected lan. He goes to access a lan in another building that but cant.

the lan in the other building is connected by a 100mb lan extension so it has a router on the other side.

The router on that side has a route back to the ip pool that is used for the remote users. Weird thing is from router in the network he can not reach I can ping the ip he has been assigned from the pool.

when I look at the live logs via asdm i filter for his IP but can not see any traffic coming in from him to the network he is trying to reach.

when he does a traceroute to the network directly connected it gets there in one hop however when he does a traceroute the network that isnt working it tries to go out over various gateways on the internet.

i should point out Im relativly new to PIX but the fact that from the network the user cant access I can succesfully ping the remote user but not vice versa suggest that routing is OK??

Please help!

Correct Answer by Anthony Holloway about 9 years 6 months ago

It should. Only I wouls switch those ACEs to standard instead of extended.

access-list 101 standard permit

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
a.alekseev Tue, 09/11/2007 - 04:12
User Badges:
  • Gold, 750 points or more

Check split-tinneling access-list.

Is the lan in another building included in the ACL?

darkbeatzz Tue, 09/11/2007 - 04:33
User Badges:

thanks for the reply.

how can I check the spit tunneling acl

normal users on both networks have problems connecting to each other its just the remote client vpn users

sadcock123 Tue, 09/11/2007 - 06:17
User Badges:


Try putting a route on your PIX firewall for the network that is not directly connected to the router.

For example:-

PIX connected LAN is - Router network is The router has a connected interface into the and sends out of Eth1 for example and connected to eth1 is the hence it works. The Client pool is You also have a route on the router for to go out of eth1. You need a route on the PIX anything for go to Eth1 Ip address on the Router.

If this does not make sence let me know.



darkbeatzz Tue, 09/11/2007 - 07:22
User Badges:

Hi Steven,

Thanks for the reply.

I have a route on the pix already, the weird thing is I can ping the remote vpn client's pool IP address from the lan not directly connected. Could it be something to do with IPSEC rules?

darkbeatzz Tue, 09/11/2007 - 09:40
User Badges:

Thanks for the reply.

I have that option configured however I dont see a rule for on the inside interface which would basically say

allow get to IP permit

Although I can ping the vpn client from network it doesnt make sense to me that if i was to add this rule all would be well.

what do you think

Anthony Holloway Tue, 09/11/2007 - 13:59
User Badges:
  • Purple, 4500 points or more

It sounds like your split tunnel is in need of some help.

If you posted your config it would help but I can probably guess what you have/need.

CLI only:

look for a section in your group-policy that specifies the split-tunnel-policy and split-tunnel-network-list value.

set your policy to tunnelspecified and your network-list value to the ACL that defines the split tunnel traffic.

your split tunnel ACL should look something like this:

access-list 101 standard permit

access-list 101 standard permit

Where is your local LAN that you can access now, and is the LAN in the other building.

darkbeatzz Tue, 09/11/2007 - 14:45
User Badges:

I think you might have it there my friend.

here is the config from the CLI. there is not access list for the network which the remove vpn client can not get to.

split-tunnel-policy tunnelspecified

split-tunnel-network-list value 100

access-list 100 extended permit ip

access-list 100 extended permit ip

so tomorrow I will add

access-list 100 extended permit ip

which should do the trick yeah?

Correct Answer
Anthony Holloway Tue, 09/11/2007 - 16:36
User Badges:
  • Purple, 4500 points or more

It should. Only I wouls switch those ACEs to standard instead of extended.

access-list 101 standard permit

darkbeatzz Wed, 09/12/2007 - 02:00
User Badges:

your a star that done the job. just had to add a no nat rule aswell

thanks a mill


This Discussion