10-28-2005 04:44 AM - edited 02-21-2020 02:04 PM
I've got a PIX 501 setup as a vpn remote server. I've been passing its DHCP options its getting from my ISP to its DHCP clients, including the default gateway. I inserted that default route statically, but it didn't help. What am I missing to get the VPN clients access to the Internet as well as to the VPN network without enabling split tunneling? Other than the IP address pool, I don't see where I can pass ip configuration parameters to VPN clients. I've attached my config.
Thank you,
Bill
Solved! Go to Solution.
10-28-2005 07:38 AM
to configure split tunneling, you'll need to create an acl and apply it to the vpngroup.
e.g.
access-list split permit ip
vpngroup test address-pool vpn
vpngroup test dns-server 68.87.75.194 68.87.64.196
vpngroup test default-domain hsd1.pa.comcast.net
vpngroup test split-tunnel split
vpngroup test idle-time 1800
vpngroup test password ********
alternatively, if you don't prefer to configure split tunneling. one workaround is to deploy a proxy server at the head office, all remote vpn client then point to the proxy for internet browsing after vpn established.
another point needs to be noticed is that the vpn client pool shall not be under the same ip scheme as the pix inside subnet.
10-28-2005 07:38 AM
to configure split tunneling, you'll need to create an acl and apply it to the vpngroup.
e.g.
access-list split permit ip
vpngroup test address-pool vpn
vpngroup test dns-server 68.87.75.194 68.87.64.196
vpngroup test default-domain hsd1.pa.comcast.net
vpngroup test split-tunnel split
vpngroup test idle-time 1800
vpngroup test password ********
alternatively, if you don't prefer to configure split tunneling. one workaround is to deploy a proxy server at the head office, all remote vpn client then point to the proxy for internet browsing after vpn established.
another point needs to be noticed is that the vpn client pool shall not be under the same ip scheme as the pix inside subnet.
11-01-2005 08:20 AM
Thank you, the split tunneling works, but in regard to setting up a different subnet for the vpn clients, after trying that, clients are unable to make a connection. Only after changing the pool to be part of the inside interface, are they able to connect. It gets to securing communication channel, and then just disconnect. The new configuration is attached. Keep in mind that I'm forwarding isakmp, esp, and ah traffic from a business cable modem to the outside interface of my pix, 10.1.10.10
11-02-2005 02:07 PM
i finally figured out how to do this.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide