Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

PIX VPN and Usb Cable Modem User

HI I have a user that connects to our PIX 506e via VPN client 3.6.1

The problem is VPN software connects but he can't see the remote site or surf internet (split-tunnelling is enabled) It all works great on his analogue modem? (this is all on the same system )

Any help would be most grateful



Re: PIX VPN and Usb Cable Modem User

Sounds like you might have a NAT or firewall problem. VPNs aren't friendly to NAT, PAT, and firewalls because IPSec uses a dedicated protocol (ESP or AH) for traffic. It does not use a TCP or UDP port. Cheap home products frequently don't support stateful inspection for ESP or AH. That would explain it working over dialup and not from behind his cable connection.

If you run Pix 6.3+, it will provide support for IPSec of NAT by doing UDP encapsulation. This is called NAT-traversal and works with most firewalls and NAT devices. The command is:

isakmp nat-traversal


New Member

Re: PIX VPN and Usb Cable Modem User

How is split-tunneling enabled on the VPN client . I have a Cisco VPN Client 3.6.x. I connects to a 515e just fine (via IPSec) . However, I can't get to the Internet. I know that I need split tunneling enabled. But I'm not sure where to look . Is the option on the PIX or the client ? And Where ?




Re: PIX VPN and Usb Cable Modem User

You enable it on the firewall by definind an ACL of the traffic you want to traverse the tunnel and then associate with a vpngroup.

access-list split permit ip any

vpngroup something split-tunnel split

This will cause the VPN client to only send traffic for to the firewall over the VPN tunnel. All other traffic will be sent as normal using the clients default-gateway.

This can be seen by looking at the Statistics tab of the VPN client when connected. Only networks in the ACL will be present in the window rather than the network that covers everything.

CreatePlease to create content