Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
681
Views
0
Helpful
8
Replies

Split Tunneling not working PIX?

tylerlucas
Level 1
Level 1

‎01-14-2009 09:36 AM

No clue why split-tunneling isn't working on this PIX. It appears to be tunneling all traffic. Maybe someone will see something I missed...

Running PIX 6.3(3)

crypto ipsec transform-set myset esp-3des esp-md5-hmac

crypto dynamic-map dynmap 10 set transform-set myset

crypto map mymap 10 ipsec-isakmp dynamic dynmap

crypto map mymap interface outside

isakmp enable outside

isakmp identity address

isakmp nat-traversal 20

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup vpn3000-all address-pool vpnpool

vpngroup vpn3000-all dns-server 10.30.30.100

vpngroup vpn3000-all wins-server 10.30.30.100

vpngroup vpn3000-all default-domain crm

vpngroup vpn3000-all split-tunnel TUNNELED_NETWORKS

vpngroup vpn3000-all idle-time 1800

vpngroup vpn3000-all password ********

access-list TUNNELED_NETWORKS permit 10.30.30.0 255.255.255.0

Labels:
0 Helpful
8 Replies 8

Ivan Martinon
Level 7
Level 7

‎01-14-2009 10:04 AM

Can you go ahead and paste the screenshot of your VPN Client statistics view? particular to the route details section? When connected, right click on the VPN Client icon, select statistics and chose the "route details" tab, can you paste that here please

0 Helpful

tylerlucas
Level 1
Level 1
In response to Ivan Martinon

‎01-14-2009 10:42 AM

Hi imartino,

http://i66.photobucket.com/albums/h278/tylerlucas/vpnroutes.jpg

This is correct (I think). The remote network is in the 10.30.30.0/24 subnet.

VPN connections receive IP's from a 10.30.31.0/24 pool.

Edit: Changed .jpg mirror

0 Helpful

mvsheik123
Level 7
Level 7

‎01-14-2009 10:05 AM

Hi,

Config looks right. have you tried using the extended ACL..

access-list TUNNELED_NETWORKS permit ip 10.30.30.0 255.255.255.0 any

hth

MS

0 Helpful

tylerlucas
Level 1
Level 1
In response to mvsheik123

‎01-14-2009 10:46 AM

Hi mvsheik123,

Yes, although I changed it back per your request.

Other additions to config:

vpngroup vpn3000-all split-dns xxxxx.loc

vpngroup vpn3000-all default-domain xxxxx.loc

isakmp policy 10 encryption 3des (was des before)

CURRENT Config:

sysopt connection permit-ipsec

crypto ipsec transform-set myset esp-3des esp-md5-hmac

crypto dynamic-map dynmap 10 set transform-set myset

crypto map mymap 10 ipsec-isakmp dynamic dynmap

crypto map mymap interface outside

isakmp enable outside

isakmp identity address

isakmp nat-traversal 10

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup vpn3000-all address-pool vpnpool

vpngroup vpn3000-all dns-server 10.30.30.100

vpngroup vpn3000-all wins-server 10.30.30.100

vpngroup vpn3000-all default-domain xxxxx.loc

vpngroup vpn3000-all split-tunnel TUNNELED_NETWORKS

vpngroup vpn3000-all split-dns xxxxx.loc

vpngroup vpn3000-all idle-time 1800

vpngroup vpn3000-all password ********

access-list TUNNELED_NETWORKS permit ip 10.30.30.0 255.255.255.0 10.30.31.0 255.255.255.0

0 Helpful

tylerlucas
Level 1
Level 1

‎01-14-2009 10:47 AM

Split tunneling seems to be working "some". When browsing the internet, I have the correct public IP (my own).

My issue is that I cannot ping or connect to local servers and resources (Exchange, etc).

Edit: Here is a .jpg of my 'route print'

http://i66.photobucket.com/albums/h278/tylerlucas/routeprint.jpg

0 Helpful

mvsheik123
Level 7
Level 7
In response to tylerlucas

‎01-14-2009 10:55 AM

Hi,

"My issue is that I cannot ping or connect to local servers and resources (Exchange, etc)".

This seems to be something to do with routing. Do you have necessary routes on the Firewall point to inside subnets?

Also, do you have the required 'nonat' (nat 0) statements for the traffic...?

hth

MS

0 Helpful

tylerlucas
Level 1
Level 1
In response to mvsheik123

‎01-14-2009 01:15 PM

Hi mvsheik123,

Thanks for replying again :)

Which firewall are you referring to? The one on my end, or theirs? Both seem to be configured correctly.

I do have my nonat statement:

nat (inside) 0 access-list TUNNELED_NETWORKS

I VPN into many, many different networks from my office and this is the ONLY one that I have any issues with. I have set up most of them myself... Beginning to wonder if this is a hardware issue (even though the symptoms don't really point that direction, yet).

Edit: To be more clear on my issue:

When I am VPN'd into that network, I lose connectivity to my in-house local resources, such as Exchange, etc. I can not ping servers at my location by IP or name after connecting to this VPN. (But I do have FULL connectivity to the remote location, obviously).

0 Helpful

mvsheik123
Level 7
Level 7
In response to tylerlucas

‎01-16-2009 10:46 AM

Hi Tyler,

Incase if the issue still exists, post the full config from the PIX where the remote users terminating.

Also, my understanding here is, you have PIX configured to accept the remote access VPN connections , and when users connect successfully they can access Internet using their local internet service but unable to reach your internal servers."

Thanks

MS

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents