Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

EasyVPN pix-to-pix with split-tunnel

I have 2 Pix Firewalls with 6.3(1). On the Office side is a vpngroup defined and the split-tunnel option is configured. The remote Pix 501 can now connect to the Office PIX and the right information is given to the client.

But if the split tunnel is configured the client PIX make no NAT or PAT for my

Client computer. If I disable this option all works fine exept internet traffic is also encrypted and no sufing is possible. Any Ideas ???

show vpnclient (on client side)


vpnclient server XXXX

vpnclient mode client-mode

vpnclient vpngroup ezclient password ********

vpnclient username ezvpn password ********

vpnclient enable


Current Server : X.X.X.X

NAT addr :

Default Domain :

PFS Enabled : No

Secure Unit Authentication Enabled : No

User Authentication Enabled : No

Split Networks :

Backup Servers : None

Cisco Employee

Re: EasyVPN pix-to-pix with split-tunnel

If you're doing split tunnelling with EzVPN client on the PIX, you still need to have a standard nat/global pair defined for the non-encrypted outgoing traffic. Something like:

> global (outside) 1 interface

> nat (inside) 1

The PIX will use this translation for unencrypted traffic, but will encrypt the other traffic as defined by the SA's and the split tunnel list and send it over the tunnel to the EzVPN server.

New Member

Re: EasyVPN pix-to-pix with split-tunnel

The nat statement is in the config:

PIX Version 6.3(1)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password XXXXXXXXXX


hostname CalltradeHome3


fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521


pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside dhcp setroute

ip address inside

ip audit info action alarm

ip audit attack action alarm

pdm location inside

pdm location inside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 0 0

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet inside

telnet timeout 60

ssh timeout 5

console timeout 0

dhcpd address inside

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

dhcpd enable inside

username cisco password XXXXXXXXX

vpnclient server X.X.X.X

vpnclient mode client-mode

vpnclient vpngroup ezclient password ********

vpnclient username ezvpn password ********

vpnclient enable

terminal width 80

Cisco Employee

Re: EasyVPN pix-to-pix with split-tunnel

The nat statement is incorrect. You have:

> nat (inside) 0

which specifically tells the PIX not to nat the traffic. Change it to:

> nat (inside) 1

and you should be right.

CreatePlease to create content