Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
501
Views
0
Helpful
3
Replies

Split-tunnel breaks VPN connectivity

adushey
Level 1
Level 1

‎05-05-2002 02:07 PM - edited ‎02-21-2020 11:43 AM

Here's the config

INET------>PIX--10.252.X.X---->IOS ROUTER--10.X.X.X--LAN

1st I had the routing issue which I corrected on the router and was able to ping when I removed the split tunnel command. Then when I add the split tunnel command the ACL 101's networks show up in the client but with no key and I can no longer Ping. I can get to the outside though.

Any ideas?

PIX Version 6.2(1)

access-list 101 permit ip 10.252.0.0 255.255.0.0 10.11.0.0 255.255.0.0

access-list 101 permit ip 10.1.0.0 255.255.0.0 10.11.0.0 255.255.0.0

access-list 101 permit ip 10.3.0.0 255.255.0.0 10.11.0.0 255.255.0.0

pager lines 24

nat (inside) 0 access-list 101

nat (inside) 1 10.0.0.0 255.0.0.0 0 0

aaa-server vpn protocol tacacs+

aaa-server vpn (inside) host xxxxx

aaa authentication telnet console other

http server enable

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto dynamic-map dynmap 10 set transform-set myset

crypto map mymap 10 ipsec-isakmp dynamic dynmap

crypto map mymap client authentication vpn

crypto map mymap interface outside

isakmp enable outside

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup vpnpix address-pool ippool

vpngroup vpnpix wins-server 10.1.10.11

vpngroup vpnpix idle-time 1800

vpngroup vpnpix password

vpngroup vpnpix split-tunnel 101

Labels:
0 Helpful
3 Replies 3

rhedwards
Level 1
Level 1

‎05-08-2002 10:49 AM

You might want to try and use two access lists one for the nat and one for split tunneling. I have found using a pix for vpn. creating multiple access list works best. keep 101 for your nat statement. Then use 102 possibly for split tunneling

0 Helpful

rdennis
Level 1
Level 1

‎05-09-2002 01:43 PM

Where is your isakmp key statement

0 Helpful

anavarro
Level 1
Level 1

‎05-09-2002 03:00 PM

Try adding ICMP to access list

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents