Ez-VPN throught Internet using PIX 501 and 3640, routing problem.

agiannetto · ‎12-05-2002

I'v tried this configuration, I've connected a PIX 501 (remote office test) and a 3640 (hq test) using Ez-VPN, all is working fine except for routing, when the IpSec tunnel is up all traffic pass throught the IPSec Tunnel.

I don't understand how to route traffic for HQ ip address trought the IP Sec Tunnel and all other traffic using the standard internet connection.

I've tried the route command without success.

---

route outside 0.0.0.0 0.0.0.0 x.x.x.x (internet traffic)

route outside 10.1.1.0 255.255.255.0 y.y.y.y (HQ traffic)

vpnclient vpngroup hwclient password ********

vpnclient username prototype password ********

vpnclient server x.x.x.x

vpnclient mode network-extension-mode

vpnclient enable

Thanks in advance for your help,

Antonio

ddelchev · ‎12-05-2002

I'm not very sure that I understand what exactly is the Easy VPN Client and what exactly is the Easy VPN Server. So I accept that the PIX is client and the router is the server.

Let me to explain the following about the ideology of the Easy VPN. Cisco Easy VPN does not allow the client side to specify what traffic goes in VPN IPSec tunnel and what pass it. I believe this is by security (and architecture) reasons and will not discuss how secure is.

If you want to specify what traffic should be crypted and what not you should you "split-tunnel" feature at the VPN server. Not on the PIX side. Also you should use Cisco IOS Easy VPN server that support that feature. You should use "acl" command in your crypto map configuration.

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t8/ftunity.htm#xtocid24