Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
454
Views
4
Helpful
3
Replies

cannot access Internet when connected to VPN

Go to solution
WILLIAM STEGMAN
Level 4
Level 4

‎10-28-2005 04:44 AM - edited ‎02-21-2020 02:04 PM

I've got a PIX 501 setup as a vpn remote server. I've been passing its DHCP options its getting from my ISP to its DHCP clients, including the default gateway. I inserted that default route statically, but it didn't help. What am I missing to get the VPN clients access to the Internet as well as to the VPN network without enabling split tunneling? Other than the IP address pool, I don't see where I can pass ip configuration parameters to VPN clients. I've attached my config.

Thank you,

Bill

Labels:
Preview file
27 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
jackko
Level 7
Level 7

‎10-28-2005 07:38 AM

to configure split tunneling, you'll need to create an acl and apply it to the vpngroup.

e.g.

access-list split permit ip

vpngroup test address-pool vpn

vpngroup test dns-server 68.87.75.194 68.87.64.196

vpngroup test default-domain hsd1.pa.comcast.net

vpngroup test split-tunnel split

vpngroup test idle-time 1800

vpngroup test password ********

alternatively, if you don't prefer to configure split tunneling. one workaround is to deploy a proxy server at the head office, all remote vpn client then point to the proxy for internet browsing after vpn established.

another point needs to be noticed is that the vpn client pool shall not be under the same ip scheme as the pix inside subnet.

View solution in original post

3 Replies 3

Go to solution
jackko
Level 7
Level 7

‎10-28-2005 07:38 AM

to configure split tunneling, you'll need to create an acl and apply it to the vpngroup.

e.g.

access-list split permit ip

vpngroup test address-pool vpn

vpngroup test dns-server 68.87.75.194 68.87.64.196

vpngroup test default-domain hsd1.pa.comcast.net

vpngroup test split-tunnel split

vpngroup test idle-time 1800

vpngroup test password ********

alternatively, if you don't prefer to configure split tunneling. one workaround is to deploy a proxy server at the head office, all remote vpn client then point to the proxy for internet browsing after vpn established.

another point needs to be noticed is that the vpn client pool shall not be under the same ip scheme as the pix inside subnet.

Go to solution
WILLIAM STEGMAN
Level 4
Level 4
In response to jackko

‎11-01-2005 08:20 AM

Thank you, the split tunneling works, but in regard to setting up a different subnet for the vpn clients, after trying that, clients are unable to make a connection. Only after changing the pool to be part of the inside interface, are they able to connect. It gets to securing communication channel, and then just disconnect. The new configuration is attached. Keep in mind that I'm forwarding isakmp, esp, and ah traffic from a business cable modem to the outside interface of my pix, 10.1.10.10

Preview file
5 KB
0 Helpful

Go to solution
WILLIAM STEGMAN
Level 4
Level 4
In response to WILLIAM STEGMAN

‎11-02-2005 02:07 PM

i finally figured out how to do this.

0 Helpful
Customers Also Viewed These Support Documents