Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
349
Views
0
Helpful
4
Replies

split tunnel problem

Go to solution
techsitc10
Level 1
Level 1

‎10-02-2007 08:07 AM - edited ‎03-11-2019 04:19 AM

Hi

I'm trying to enable split tunnelling but what appears to happen at the moment is that i can access the vpn.

at that point i still have external internet access.

When i actually connect to the server then i lose internet access.

i've attached my config file to see if someone can spot what is probably an obvious mistake.

thanks in advance

suzanne

Labels:
Preview file
5 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
acomiskey
Level 10
Level 10
In response to techsitc10

‎10-02-2007 08:49 AM

access-list nonat permit ip

nat (inside) 0 access-list nonat

One other thing I noticed is that the vpn pool is part of the inside network. It is not advised to have this configuration. The vpn pool should have a completely different subnet. For example...

ip local pool george4vpn 192.168.20.200-192.168.20.230

access-list nonat permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0

nat (inside) 0 access-list nonat

Also, if you want split tunnel then acl 120 should read...

access-list 120 permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0

Hope this helps. Please rate helpful posts.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
techsitc10
Level 1
Level 1

‎10-02-2007 08:46 AM

Hi

I think this isn't a split tunnel problem.

The issue is I can bring up a webpage but not access remote desktop or any other server services. When I look at the vpn stats on the remote connection there are none received although plenty are being sent.

Thanks

Suzanne

0 Helpful

Go to solution
acomiskey
Level 10
Level 10
In response to techsitc10

‎10-02-2007 08:49 AM

access-list nonat permit ip

nat (inside) 0 access-list nonat

One other thing I noticed is that the vpn pool is part of the inside network. It is not advised to have this configuration. The vpn pool should have a completely different subnet. For example...

ip local pool george4vpn 192.168.20.200-192.168.20.230

access-list nonat permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0

nat (inside) 0 access-list nonat

Also, if you want split tunnel then acl 120 should read...

access-list 120 permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0

Hope this helps. Please rate helpful posts.

0 Helpful

Go to solution
techsitc10
Level 1
Level 1
In response to acomiskey

‎10-09-2007 01:50 AM

Hi

Thanks for the help, and my apologies for taking so long to say thank you. It was all resolved last week.

Can I ask why you say the vpn pool should be on a completely different subnet? It works but I'm curious as to why this would be necessary.

Thanks

Suzanne

0 Helpful

Go to solution
whisperwind
Level 1
Level 1
In response to techsitc10

‎10-09-2007 05:12 AM

Suzanne, the pool needs to be unique so the firewall knows were to route the packets, you cannot have two of the identical subnets in existance within a network ~ bad things will happen.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card