split tunnel problem

Answered Question
Oct 2nd, 2007
User Badges:

Hi


I'm trying to enable split tunnelling but what appears to happen at the moment is that i can access the vpn.


at that point i still have external internet access.


When i actually connect to the server then i lose internet access.


i've attached my config file to see if someone can spot what is probably an obvious mistake.


thanks in advance

suzanne




Attachment: 
Correct Answer by acomiskey about 9 years 7 months ago

access-list nonat permit ip

nat (inside) 0 access-list nonat


One other thing I noticed is that the vpn pool is part of the inside network. It is not advised to have this configuration. The vpn pool should have a completely different subnet. For example...


ip local pool george4vpn 192.168.20.200-192.168.20.230

access-list nonat permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0

nat (inside) 0 access-list nonat


Also, if you want split tunnel then acl 120 should read...


access-list 120 permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0


Hope this helps. Please rate helpful posts.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
techsitc10 Tue, 10/02/2007 - 08:46
User Badges:

Hi


I think this isn't a split tunnel problem.


The issue is I can bring up a webpage but not access remote desktop or any other server services. When I look at the vpn stats on the remote connection there are none received although plenty are being sent.


Thanks

Suzanne

Correct Answer
acomiskey Tue, 10/02/2007 - 08:49
User Badges:
  • Green, 3000 points or more

access-list nonat permit ip

nat (inside) 0 access-list nonat


One other thing I noticed is that the vpn pool is part of the inside network. It is not advised to have this configuration. The vpn pool should have a completely different subnet. For example...


ip local pool george4vpn 192.168.20.200-192.168.20.230

access-list nonat permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0

nat (inside) 0 access-list nonat


Also, if you want split tunnel then acl 120 should read...


access-list 120 permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0


Hope this helps. Please rate helpful posts.

techsitc10 Tue, 10/09/2007 - 01:50
User Badges:

Hi


Thanks for the help, and my apologies for taking so long to say thank you. It was all resolved last week.


Can I ask why you say the vpn pool should be on a completely different subnet? It works but I'm curious as to why this would be necessary.


Thanks

Suzanne


whisperwind Tue, 10/09/2007 - 05:12
User Badges:

Suzanne, the pool needs to be unique so the firewall knows were to route the packets, you cannot have two of the identical subnets in existance within a network ~ bad things will happen.

Actions

This Discussion