Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

PIX 515 split tunnel

I just figured this out yesterday and figured I'd share it because I've seen similar problems posted before.

I'm using a PIX515E with OS 6.3(4) and VPN client 4.6 to connect to our corporate site via dynamic VPN.

The problem was that even though I added the split-tunnel to the vpngroup, it still didn't work.

Assume the VPN ip pool is 192.168.0.0/24 and you have two networks on the inside: 192.168.1.0/24 and 192.168.2.0/24. Additionally, you have access-list NoNat nailed to nat 0 inside.

If the access-list is defined thus:

access-list NoNat permit ip any 192.168.0.0 255.255.255.0

and you enable split tunnel in the vpngroup, it won't work.

However, if you redefine the access list like so:

access-list NoNat permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list NoNat permit ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0

and add

vpngroup GROUPNAME split-tunnel NoNat

the split tunnel will work.

Evidently the internal networks need to be explicitly defined for split tunnel to work.

1 REPLY
477
Views
0
Helpful
1
Replies
CreatePlease to create content