11-18-2006 07:31 AM - edited 02-21-2020 01:18 AM
I just figured this out yesterday and figured I'd share it because I've seen similar problems posted before.
I'm using a PIX515E with OS 6.3(4) and VPN client 4.6 to connect to our corporate site via dynamic VPN.
The problem was that even though I added the split-tunnel to the vpngroup, it still didn't work.
Assume the VPN ip pool is 192.168.0.0/24 and you have two networks on the inside: 192.168.1.0/24 and 192.168.2.0/24. Additionally, you have access-list NoNat nailed to nat 0 inside.
If the access-list is defined thus:
access-list NoNat permit ip any 192.168.0.0 255.255.255.0
and you enable split tunnel in the vpngroup, it won't work.
However, if you redefine the access list like so:
access-list NoNat permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list NoNat permit ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0
and add
vpngroup GROUPNAME split-tunnel NoNat
the split tunnel will work.
Evidently the internal networks need to be explicitly defined for split tunnel to work.
11-18-2006 10:58 AM
Normally, you have to specify specific source & destination address/subnet in your nonat ACL, not keyword 'any'.
This is also reflected in Cisco configuration examples of remote access VPN.
Check the 'nat (inside) 0' and ACL in all of the remote access vpn config example below:
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094cea.shtml
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009442e.shtml
Hope this helps. Pls rate all useful post(s).
AK
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide