Split Tunneling not working PIX?

Unanswered Question
Jan 14th, 2009

No clue why split-tunneling isn't working on this PIX. It appears to be tunneling all traffic. Maybe someone will see something I missed...

Running PIX 6.3(3)

crypto ipsec transform-set myset esp-3des esp-md5-hmac

crypto dynamic-map dynmap 10 set transform-set myset

crypto map mymap 10 ipsec-isakmp dynamic dynmap

crypto map mymap interface outside

isakmp enable outside

isakmp identity address

isakmp nat-traversal 20

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup vpn3000-all address-pool vpnpool

vpngroup vpn3000-all dns-server 10.30.30.100

vpngroup vpn3000-all wins-server 10.30.30.100

vpngroup vpn3000-all default-domain crm

vpngroup vpn3000-all split-tunnel TUNNELED_NETWORKS

vpngroup vpn3000-all idle-time 1800

vpngroup vpn3000-all password ********

access-list TUNNELED_NETWORKS permit 10.30.30.0 255.255.255.0

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Ivan Martinon Wed, 01/14/2009 - 10:04

Can you go ahead and paste the screenshot of your VPN Client statistics view? particular to the route details section? When connected, right click on the VPN Client icon, select statistics and chose the "route details" tab, can you paste that here please

mvsheik123 Wed, 01/14/2009 - 10:05

Hi,

Config looks right. have you tried using the extended ACL..

access-list TUNNELED_NETWORKS permit ip 10.30.30.0 255.255.255.0 any

hth

MS

tylerlucas Wed, 01/14/2009 - 10:46

Hi mvsheik123,

Yes, although I changed it back per your request.

Other additions to config:

vpngroup vpn3000-all split-dns xxxxx.loc

vpngroup vpn3000-all default-domain xxxxx.loc

isakmp policy 10 encryption 3des (was des before)

CURRENT Config:

sysopt connection permit-ipsec

crypto ipsec transform-set myset esp-3des esp-md5-hmac

crypto dynamic-map dynmap 10 set transform-set myset

crypto map mymap 10 ipsec-isakmp dynamic dynmap

crypto map mymap interface outside

isakmp enable outside

isakmp identity address

isakmp nat-traversal 10

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup vpn3000-all address-pool vpnpool

vpngroup vpn3000-all dns-server 10.30.30.100

vpngroup vpn3000-all wins-server 10.30.30.100

vpngroup vpn3000-all default-domain xxxxx.loc

vpngroup vpn3000-all split-tunnel TUNNELED_NETWORKS

vpngroup vpn3000-all split-dns xxxxx.loc

vpngroup vpn3000-all idle-time 1800

vpngroup vpn3000-all password ********

access-list TUNNELED_NETWORKS permit ip 10.30.30.0 255.255.255.0 10.30.31.0 255.255.255.0

mvsheik123 Wed, 01/14/2009 - 10:55

Hi,

"My issue is that I cannot ping or connect to local servers and resources (Exchange, etc)".

This seems to be something to do with routing. Do you have necessary routes on the Firewall point to inside subnets?

Also, do you have the required 'nonat' (nat 0) statements for the traffic...?

hth

MS

tylerlucas Wed, 01/14/2009 - 13:15

Hi mvsheik123,

Thanks for replying again :)

Which firewall are you referring to? The one on my end, or theirs? Both seem to be configured correctly.

I do have my nonat statement:

nat (inside) 0 access-list TUNNELED_NETWORKS

I VPN into many, many different networks from my office and this is the ONLY one that I have any issues with. I have set up most of them myself... Beginning to wonder if this is a hardware issue (even though the symptoms don't really point that direction, yet).

Edit: To be more clear on my issue:

When I am VPN'd into that network, I lose connectivity to my in-house local resources, such as Exchange, etc. I can not ping servers at my location by IP or name after connecting to this VPN. (But I do have FULL connectivity to the remote location, obviously).

mvsheik123 Fri, 01/16/2009 - 10:46

Hi Tyler,

Incase if the issue still exists, post the full config from the PIX where the remote users terminating.

Also, my understanding here is, you have PIX configured to accept the remote access VPN connections , and when users connect successfully they can access Internet using their local internet service but unable to reach your internal servers."

Thanks

MS

Actions

This Discussion