Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Lost Remote Access to Internal Network after upgarding PIX to 7.0

I upgraded our Cisco 515E PIX box to version 7.0 from 6.3(5) and lost connectivity to out internal servers through a VPN connection. Any ideas as to why or how this happened?

  • Other Security Subjects
1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Re: Lost Remote Access to Internal Network after upgarding PIX t

If you are using split tunneling, this is probably the issue.

The Bug id is : CSCeh69389

This Bug says :

When upgrading a PIX 6.x to 7.0, if split-tunneling is being

used for Remote Access clients, then the config conversion

process will not convert the split-tunnel list command, because

in 6.x the split-tunnel ACL was allowed to be of type 'extended'

whereas in 7.0 the ACL must be of type 'standard'.

To resolve the issue, take the extended ACL and manually convert it to a

standard ACL, specifying the networks you want encrypted. Once

the new ACL is in the config, it must be applied under the

group-policy.

EX:

access-list SplitTunnel standard permit 10.1.1.0 255.255.255.0

group-policy RemoteAccess internal

group-policy RemoteAccess attributes

split-tunnel-policy tunnelspecified

split-tunnel-network-list value SplitTunnel

2 REPLIES
New Member

Re: Lost Remote Access to Internal Network after upgarding PIX t

If you are using split tunneling, this is probably the issue.

The Bug id is : CSCeh69389

This Bug says :

When upgrading a PIX 6.x to 7.0, if split-tunneling is being

used for Remote Access clients, then the config conversion

process will not convert the split-tunnel list command, because

in 6.x the split-tunnel ACL was allowed to be of type 'extended'

whereas in 7.0 the ACL must be of type 'standard'.

To resolve the issue, take the extended ACL and manually convert it to a

standard ACL, specifying the networks you want encrypted. Once

the new ACL is in the config, it must be applied under the

group-policy.

EX:

access-list SplitTunnel standard permit 10.1.1.0 255.255.255.0

group-policy RemoteAccess internal

group-policy RemoteAccess attributes

split-tunnel-policy tunnelspecified

split-tunnel-network-list value SplitTunnel

New Member

Re: Lost Remote Access to Internal Network after upgarding PIX t

Do I have to convert all my access-list commands that are extended to standard or just the one access-list command that pertains to my VPN?

98
Views
0
Helpful
2
Replies
This widget could not be displayed.