Reverse Route Injection

Answered Question
Dec 20th, 2007

My PIX firewall is VPN headend device. It is located behind C1721 router. I have to customize VPN remote access without splitting tunnel network. It is work OK if I try to connect from VPN client located between PIX and C1721. If I try to connect from external VPN client located before C1721 then it work without access to internal resources. But it work OK if I use possibility of splitting tunnel network. I switched on possibility of Reverse Route Injection. Help to localize a mistake, please. What is wrong?

Correct Answer by kaachary about 9 years 1 month ago

If you are talking about accessing the Internal LAN behind PIX from the clients, there's no way it will NOT work without split tunnel, if it works with split tunnel.

Could you please paste a n/w diagram and relevant part of PIX and router config.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Loading.
husycisco Mon, 12/24/2007 - 02:24

Hi Andrey

Make sure following exists in firewall config

crrypto isakmp nat-traversal 20

Regards

rezon Mon, 12/24/2007 - 11:42

It exist in my config.

External client can not access to internal resources if I include for group policy the following attributes:

"split-tunnel-policy tunnelall"

"split-tunnel-network-list none".

I should specify - external client receive access to Internet through VPN connection.

Correct Answer
kaachary Tue, 12/25/2007 - 15:15

If you are talking about accessing the Internal LAN behind PIX from the clients, there's no way it will NOT work without split tunnel, if it works with split tunnel.

Could you please paste a n/w diagram and relevant part of PIX and router config.

rezon Wed, 12/26/2007 - 00:29

Please, see PDF-files in attachment.

You will find network diagram and configuration files for Cisco's devices.

rezon Fri, 12/28/2007 - 07:15

Thanks for all. I found the mistake in configuration of C1721.

It was wrong destination port for IPSec over UDP.

Actions

This Discussion