01-14-2009 09:36 AM
No clue why split-tunneling isn't working on this PIX. It appears to be tunneling all traffic. Maybe someone will see something I missed...
Running PIX 6.3(3)
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
isakmp enable outside
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup vpn3000-all address-pool vpnpool
vpngroup vpn3000-all dns-server 10.30.30.100
vpngroup vpn3000-all wins-server 10.30.30.100
vpngroup vpn3000-all default-domain crm
vpngroup vpn3000-all split-tunnel TUNNELED_NETWORKS
vpngroup vpn3000-all idle-time 1800
vpngroup vpn3000-all password ********
access-list TUNNELED_NETWORKS permit 10.30.30.0 255.255.255.0
01-14-2009 10:04 AM
Can you go ahead and paste the screenshot of your VPN Client statistics view? particular to the route details section? When connected, right click on the VPN Client icon, select statistics and chose the "route details" tab, can you paste that here please
01-14-2009 10:42 AM
Hi imartino,
http://i66.photobucket.com/albums/h278/tylerlucas/vpnroutes.jpg
This is correct (I think). The remote network is in the 10.30.30.0/24 subnet.
VPN connections receive IP's from a 10.30.31.0/24 pool.
Edit: Changed .jpg mirror
01-14-2009 10:05 AM
Hi,
Config looks right. have you tried using the extended ACL..
access-list TUNNELED_NETWORKS permit ip 10.30.30.0 255.255.255.0 any
hth
MS
01-14-2009 10:46 AM
Hi mvsheik123,
Yes, although I changed it back per your request.
Other additions to config:
vpngroup vpn3000-all split-dns xxxxx.loc
vpngroup vpn3000-all default-domain xxxxx.loc
isakmp policy 10 encryption 3des (was des before)
CURRENT Config:
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
isakmp enable outside
isakmp identity address
isakmp nat-traversal 10
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup vpn3000-all address-pool vpnpool
vpngroup vpn3000-all dns-server 10.30.30.100
vpngroup vpn3000-all wins-server 10.30.30.100
vpngroup vpn3000-all default-domain xxxxx.loc
vpngroup vpn3000-all split-tunnel TUNNELED_NETWORKS
vpngroup vpn3000-all split-dns xxxxx.loc
vpngroup vpn3000-all idle-time 1800
vpngroup vpn3000-all password ********
access-list TUNNELED_NETWORKS permit ip 10.30.30.0 255.255.255.0 10.30.31.0 255.255.255.0
01-14-2009 10:47 AM
Split tunneling seems to be working "some". When browsing the internet, I have the correct public IP (my own).
My issue is that I cannot ping or connect to local servers and resources (Exchange, etc).
Edit: Here is a .jpg of my 'route print'
http://i66.photobucket.com/albums/h278/tylerlucas/routeprint.jpg
01-14-2009 10:55 AM
Hi,
"My issue is that I cannot ping or connect to local servers and resources (Exchange, etc)".
This seems to be something to do with routing. Do you have necessary routes on the Firewall point to inside subnets?
Also, do you have the required 'nonat' (nat 0) statements for the traffic...?
hth
MS
01-14-2009 01:15 PM
Hi mvsheik123,
Thanks for replying again :)
Which firewall are you referring to? The one on my end, or theirs? Both seem to be configured correctly.
I do have my nonat statement:
nat (inside) 0 access-list TUNNELED_NETWORKS
I VPN into many, many different networks from my office and this is the ONLY one that I have any issues with. I have set up most of them myself... Beginning to wonder if this is a hardware issue (even though the symptoms don't really point that direction, yet).
Edit: To be more clear on my issue:
When I am VPN'd into that network, I lose connectivity to my in-house local resources, such as Exchange, etc. I can not ping servers at my location by IP or name after connecting to this VPN. (But I do have FULL connectivity to the remote location, obviously).
01-16-2009 10:46 AM
Hi Tyler,
Incase if the issue still exists, post the full config from the PIX where the remote users terminating.
Also, my understanding here is, you have PIX configured to accept the remote access VPN connections , and when users connect successfully they can access Internet using their local internet service but unable to reach your internal servers."
Thanks
MS
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide