We have an ASA that we just setup. We have 4 remote offices that all have DSL connections with DHCP addresses on the outside interfaces. The remote offices are running Pix 501's with either 6.3(4) or 6.3(5). We experience the problem on either IOS image.
The Pix's create the tunnel successfully and can connect to resources on the other end of the tunnel. But the users then cannot connect to their local network and the internet.
I'm pretty sure this is a split-tunnel issue on the head end. But I've been staring at this config for 3 days and I can't figure out where the problem right is. I'm hoping another set of eyes can point out the problem.
I have tried adding at static route to the remote Pix to their local ISP's gateway with no luck.
One of the things you said was that users cannot access their own LAN. That bothers me. Especially if the PIX in front of them is establishing the tunnel. Are they not able to ping addresses on their own segment? Where is the client end DNS server located?
Yes, they can ping addresses on their own subnet. They use a DNS server on the tunnel, which is making me think about getting rid of the split tunnel and have them access the internet through the tunnel.
I do not have a config on the spokes due to I can't connect to them at the moment (seperate problem).
I have the same problem using the VPN Client, so I know it's not on the client end.
They can resolve addresses, but pings do not return responses.
I see connections, but not from the subnet that the VPN Clients are using. Strangely enough, I do see my internal IP (I'm connecting from home), in the connection table. I'd think it'd have at least been NAT'd from my router at home. Weird...
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :