05-05-2002 02:07 PM - edited 02-21-2020 11:43 AM
Here's the config
INET------>PIX--10.252.X.X---->IOS ROUTER--10.X.X.X--LAN
1st I had the routing issue which I corrected on the router and was able to ping when I removed the split tunnel command. Then when I add the split tunnel command the ACL 101's networks show up in the client but with no key and I can no longer Ping. I can get to the outside though.
Any ideas?
PIX Version 6.2(1)
access-list 101 permit ip 10.252.0.0 255.255.0.0 10.11.0.0 255.255.0.0
access-list 101 permit ip 10.1.0.0 255.255.0.0 10.11.0.0 255.255.0.0
access-list 101 permit ip 10.3.0.0 255.255.0.0 10.11.0.0 255.255.0.0
pager lines 24
nat (inside) 0 access-list 101
nat (inside) 1 10.0.0.0 255.0.0.0 0 0
aaa-server vpn protocol tacacs+
aaa-server vpn (inside) host xxxxx
aaa authentication telnet console other
http server enable
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap client authentication vpn
crypto map mymap interface outside
isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup vpnpix address-pool ippool
vpngroup vpnpix wins-server 10.1.10.11
vpngroup vpnpix idle-time 1800
vpngroup vpnpix password
vpngroup vpnpix split-tunnel 101
05-08-2002 10:49 AM
You might want to try and use two access lists one for the nat and one for split tunneling. I have found using a pix for vpn. creating multiple access list works best. keep 101 for your nat statement. Then use 102 possibly for split tunneling
05-09-2002 01:43 PM
Where is your isakmp key statement
05-09-2002 03:00 PM
Try adding ICMP to access list
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: