Reverse Route Injection

Answered Question
Dec 20th, 2007
User Badges:

My PIX firewall is VPN headend device. It is located behind C1721 router. I have to customize VPN remote access without splitting tunnel network. It is work OK if I try to connect from VPN client located between PIX and C1721. If I try to connect from external VPN client located before C1721 then it work without access to internal resources. But it work OK if I use possibility of splitting tunnel network. I switched on possibility of Reverse Route Injection. Help to localize a mistake, please. What is wrong?

Correct Answer by kaachary about 9 years 7 months ago

If you are talking about accessing the Internal LAN behind PIX from the clients, there's no way it will NOT work without split tunnel, if it works with split tunnel.

Could you please paste a n/w diagram and relevant part of PIX and router config.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Loading.
husycisco Mon, 12/24/2007 - 02:24
User Badges:
  • Gold, 750 points or more

Hi Andrey

Make sure following exists in firewall config


crrypto isakmp nat-traversal 20


Regards

rezon Mon, 12/24/2007 - 11:42
User Badges:

It exist in my config.

External client can not access to internal resources if I include for group policy the following attributes:

"split-tunnel-policy tunnelall"

"split-tunnel-network-list none".


I should specify - external client receive access to Internet through VPN connection.

Correct Answer
kaachary Tue, 12/25/2007 - 15:15
User Badges:
  • Cisco Employee,

If you are talking about accessing the Internal LAN behind PIX from the clients, there's no way it will NOT work without split tunnel, if it works with split tunnel.

Could you please paste a n/w diagram and relevant part of PIX and router config.

rezon Wed, 12/26/2007 - 00:29
User Badges:

Please, see PDF-files in attachment.

You will find network diagram and configuration files for Cisco's devices.



rezon Fri, 12/28/2007 - 07:15
User Badges:

Thanks for all. I found the mistake in configuration of C1721.

It was wrong destination port for IPSec over UDP.

Actions

This Discussion