PIX 515 E 6.0

ramesys12 · ‎08-01-2006

I was scheduled onsite to configure a client-to-site vpn connection.

I of course used the wizard :( and I got confused in the last bit as my concepts were not very clear.

It is all to do with "split tunneling" option and the NAT option.

*****************************

Of course the VPN did work fine with xauth tunred on pointing to the local database. But the issues experienced are as follows:

1) The VPN client could not ping any internal servers.

2) The DHCP pool i.e. subnet mask on the client was defaulting to 255.0.0.0 and the ip address was from teh correct vpn-pool range i.e. 10.250.1.2 ( the site admin would want the subnet mask to be 255.255.255.0 )

3) The user could not access the internet without pointing to the office proxy server neither could I access any home pritners.

All the client test were carried out from a different lan which simulates a home network for all mobile users i.e. even a independant ISP cable line with linksys router installed.

Can anyone please advise me on this.

cheers

mmorris11 · ‎08-01-2006

DId you add the mask keyword at the end of your pool like so: ip local pool VPN x.x.x.x-x.x.x.x.x mask 255.255.255.0

or whatever you want the mask to be? I assume that your problems are related to this.

HTH

rldavisivadlr · ‎08-01-2006

Split tunneling tells the VPN client what internal network is on the other side of the tunnel.

ex. If your internal network is 10.250.1.2 255.255.255.0, you would add that in your split tunnel definition in the GUI.

To correct your subnet mistake on the VPN pool, you will have to delete the VPN configuration and run the wizard again. Make sure and delete the Policy related to the Client to Site VPN, then delete the IPSEC rule.

Apply this, and it will then let you edit the VPN-Pool. Correct your subnet, and you can specify this pool in the wizard when you reconfigure the VPN.

ramesys12 · ‎08-02-2006

Would I be correct in saying that is the reason why I could not ping once the vpn session was up?

I did not get prompted for the subnet in the VPN Wizard to be honest.

Is there some Cisco document on split tuneling which will explain this with detailed explaination will be of a great help....

cheers

mmorris11 · ‎08-02-2006

This is a great guide for the PDM gui:

http://www.cisco.com/application/pdf/en/us/guest/products/ps2032/c1626/ccmigration_09186a00804ec67b.pdf

You will find everything in this guide for command line configuration:

http://www.cisco.com/en/US/customer/products/sw/secursw/ps2120/products_configuration_guide_book09186a0080172852.html

ramesys12 · ‎08-04-2006

Thanky you so much for the previous links but it still does not answer the confusion I have with why I could not ping the internal servers after successfull connection.

adn split tunneling of course :(

cheers