Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
367
Views
0
Helpful
7
Replies

Split-tunnel doesn't work(PIX OS 6.22 and VPN Client 3.6.3)

wellsgz
Level 1
Level 1

‎01-27-2003 07:23 AM - edited ‎02-21-2020 12:18 PM

Before i enable split-tunnel, i can properly connect the internal network, and i can see both the PIX outside network address and the hole address 0.0.0.0/0.0.0.0 are encrypted (There's a little lock before the address) in the statistics of VPN dialer.

But when i enable split-tunnel, i can find the network i want to encrypt in VPN dialer statistics, but they're not encrypted, there's no a lock before it and i can't connect to those address, and i can connect to internet .

i wonder if the inside network is nated, can i but put into splti-tunnel?

Ex:

ip address inside 10.1.1.1 255.255.240.0

nat (inside) 1 0.0.0.0 0.0.0.0

nat (inside) 0 access-list 100

global (iniside) 1 66.66.66.66

vpngroup x splti-tunnel 100

can these configuration work?

Thank you very much!

Labels:
0 Helpful
7 Replies 7

gfullage
Cisco Employee
Cisco Employee

‎01-27-2003 05:36 PM

You didn't include ACL 100 but yeah, what you've shown should be OK.

What kind of NIC are you using to bring up the VPN. There's a bug with using a Sierra Wireles NIC and split tunnelling to the PIX, in that basically it doesn't work and the SA's (the little key next to the network) are never built.

See bug CSCdz51629 (http://www.cisco.com/cgi-bin/Support/Bugtool/launch_bugtool.pl)

0 Helpful

wellsgz
Level 1
Level 1
In response to gfullage

‎01-29-2003 05:30 AM

The ip pool is:

10.7.1.1-10.7.1.254

acl 100 is:

access-list 100 permit ip host 10.1.1.250 10.7.1.0 255.255.250.0

access-list 100 deny ip any any

Any my NIC is :

Realtek RTL8319 serial

I have tried to use a adico NIC, but it doesn't work either...

0 Helpful

gfullage
Cisco Employee
Cisco Employee
In response to wellsgz

‎01-29-2003 05:59 PM

What if you try it without the "deny ip any any" in the ACL, maybe that's causing some problems?

There's an implicit "deny everything" at the bottom anyway, but if you actually specify it it'll probably be sent to the VPN client and I have no idea what the VPN client would do with a "deny any" split-tunnel list (quite possibly not tunnel anything, which is what you're seeing).

0 Helpful

wellsgz
Level 1
Level 1
In response to gfullage

‎01-29-2003 06:44 PM

I have try to make the acl without "deny ip any any"

but it still doesn'y work yet~

here's the show acl result:

access-list 100 permit ip host 10.1.1.250 10.7.1.0 255.255.255.0 (hitcnt=0)

access-list 100 deny ip any any (hitcnt=397977)

all the packet hadn't been encrypt>_<

0 Helpful

gfullage
Cisco Employee
Cisco Employee
In response to wellsgz

‎01-30-2003 05:04 PM

Can you post the whole PIX config so we can see what's going on here. Make sure to xxxxx out your passwords and outside IP address.

0 Helpful

nfracassi
Level 1
Level 1
In response to gfullage

‎02-18-2003 06:54 AM

Hi all,

I absolutely have the exact same problem described. VPN is not working when Split Tunneling is enabled.

Our PIX Firewall is a 6.2(2) and VPN Client is 3.6.3(a)

This is our configuration (checked multiple times on Cisco website):

PIX Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 Stateful_Failover security99

nameif ethernet3 isa_lan security70

...

clock timezone CEST 1

clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

...

access-list inside_access_in permit .....

access-list inside_access_in deny ip any any

access-list outside_access_in permit tcp ....

access-list outside_access_in permit tcp 172.17.100.0 255.255.255.0 host WEB_SERVER_2 object-group Web_Services

access-list outside_access_in permit tcp 172.17.100.0 255.255.255.0 host NAME_SERVER1 eq domain

access-list outside_access_in permit udp 172.17.100.0 255.255.255.0 host NAME_SERVER1 eq domain

access-list outside_access_in permit tcp 172.17.100.0 255.255.255.0 host NAME_SERVER2 eq domain

access-list outside_access_in permit udp 172.17.100.0 255.255.255.0 host NAME_SERVER2 eq domain

access-list outside_access_in deny ip any any

access-list inside_outbound_nat0_acl permit ip NET_SECURED 255.255.255.0 172.17.100.0 255.255.255.0

access-list outside_cryptomap_dyn_20 permit ip NET_SECURED 255.255.255.0 172.17.100.0 255.255.255.0

access-list VPN_USERS_splitTunnelAcl permit ip NET_SECURED 255.255.255.0 172.17.100.0 255.255.255.0

....

interface ethernet0 100full

interface ethernet1 100full

interface ethernet2 100full

interface ethernet3 100basetx

mtu outside 1500

mtu inside 1500

mtu Stateful_Failover 1500

...

ip address outside XXX.XXX.XXX.XXX 255.255.255.0

ip address inside YYY.YYY.YYY.YYY 255.255.255.0

ip verify reverse-path interface outside

ip verify reverse-path interface inside

ip audit info action alarm

ip audit attack action alarm

ip local pool pool_FOR_VPN 172.17.100.1-172.17.100.254

....

arp timeout 14400

global (outside) 1 XXX.XXX.XXX.AAA-XXX.XXX.XXX.BBB netmask 255.255.255.0

global (outside) 1 XXX.XXX.XXX.CCC

global (outside) 3 XXX.XXX.XXX.DDD

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 3 PROXY 255.255.255.255 0 0

nat (inside) 1 NET_SECURED 255.255.0.0 0 0

static (inside,outside) XXX.XXX.XXX.EEE WEB_SERVER_2 netmask 255.255.255.255 0 0

...

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 KKK.KKK.KKK.KKK

....

timeout xlate 5:00:00

timeout conn 5:00:00 half-closed 0:30:00 udp 0:30:00 rpc 0:30:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 4:00:00 absolute

...

floodguard enable

sysopt connection permit-ipsec

sysopt noproxyarp inside

sysopt noproxyarp Stateful_Failover

no sysopt route dnat

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5

crypto map outside_map 20 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

isakmp enable outside

isakmp identity address

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

vpngroup VPN_TEST address-pool pool_FOR_VPN

vpngroup VPN_TEST dns-server YYY.YYY.YYY.200 YYY.YYY.YYY.201

vpngroup VPN_TEST split-tunnel VPN_USERS_splitTunnelAcl

vpngroup VPN_TEST idle-time 1800

vpngroup VPN_TEST password ********

....

ANY IDEAS????

Thanks

Nicola

0 Helpful

nfracassi
Level 1
Level 1
In response to nfracassi

‎02-19-2003 06:35 AM

HI, I think we could manage to solve our problem.

We were trying to do the VPN connection using Windows XP Professional and a Remote Access Connection.

If the Remote Access Connection has the "Internet Firewall" Turned On (this feature doesn't exist in Windows 2000 Remote Access), the VPN works fine without the Split Tunnel but does not work with the Split Tunnel (as you said).

Turning off the "Internet Firewall" solves the problem !!! (Advanced Properties of the Remote Access COnnection).

Hope it helps

Best regards

Nicola

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents