Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

split tunnel problem

Hi

I'm trying to enable split tunnelling but what appears to happen at the moment is that i can access the vpn.

at that point i still have external internet access.

When i actually connect to the server then i lose internet access.

i've attached my config file to see if someone can spot what is probably an obvious mistake.

thanks in advance

suzanne

1 ACCEPTED SOLUTION

Accepted Solutions
Green

Re: split tunnel problem

access-list nonat permit ip

nat (inside) 0 access-list nonat

One other thing I noticed is that the vpn pool is part of the inside network. It is not advised to have this configuration. The vpn pool should have a completely different subnet. For example...

ip local pool george4vpn 192.168.20.200-192.168.20.230

access-list nonat permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0

nat (inside) 0 access-list nonat

Also, if you want split tunnel then acl 120 should read...

access-list 120 permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0

Hope this helps. Please rate helpful posts.

4 REPLIES
New Member

Re: split tunnel problem

Hi

I think this isn't a split tunnel problem.

The issue is I can bring up a webpage but not access remote desktop or any other server services. When I look at the vpn stats on the remote connection there are none received although plenty are being sent.

Thanks

Suzanne

Green

Re: split tunnel problem

access-list nonat permit ip

nat (inside) 0 access-list nonat

One other thing I noticed is that the vpn pool is part of the inside network. It is not advised to have this configuration. The vpn pool should have a completely different subnet. For example...

ip local pool george4vpn 192.168.20.200-192.168.20.230

access-list nonat permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0

nat (inside) 0 access-list nonat

Also, if you want split tunnel then acl 120 should read...

access-list 120 permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0

Hope this helps. Please rate helpful posts.

New Member

Re: split tunnel problem

Hi

Thanks for the help, and my apologies for taking so long to say thank you. It was all resolved last week.

Can I ask why you say the vpn pool should be on a completely different subnet? It works but I'm curious as to why this would be necessary.

Thanks

Suzanne

New Member

Re: split tunnel problem

Suzanne, the pool needs to be unique so the firewall knows were to route the packets, you cannot have two of the identical subnets in existance within a network ~ bad things will happen.

104
Views
0
Helpful
4
Replies