Before i enable split-tunnel, i can properly connect the internal network, and i can see both the PIX outside network address and the hole address 0.0.0.0/0.0.0.0 are encrypted (There's a little lock before the address) in the statistics of VPN dialer.
But when i enable split-tunnel, i can find the network i want to encrypt in VPN dialer statistics, but they're not encrypted, there's no a lock before it and i can't connect to those address, and i can connect to internet .
i wonder if the inside network is nated, can i but put into splti-tunnel?
ip address inside 10.1.1.1 255.255.240.0
nat (inside) 1 0.0.0.0 0.0.0.0
nat (inside) 0 access-list 100
global (iniside) 1 184.108.40.206
vpngroup x splti-tunnel 100
can these configuration work?
Thank you very much!
You didn't include ACL 100 but yeah, what you've shown should be OK.
What kind of NIC are you using to bring up the VPN. There's a bug with using a Sierra Wireles NIC and split tunnelling to the PIX, in that basically it doesn't work and the SA's (the little key next to the network) are never built.
See bug CSCdz51629 (http://www.cisco.com/cgi-bin/Support/Bugtool/launch_bugtool.pl)
The ip pool is:
acl 100 is:
access-list 100 permit ip host 10.1.1.250 10.7.1.0 255.255.250.0
access-list 100 deny ip any any
Any my NIC is :
Realtek RTL8319 serial
I have tried to use a adico NIC, but it doesn't work either...
What if you try it without the "deny ip any any" in the ACL, maybe that's causing some problems?
There's an implicit "deny everything" at the bottom anyway, but if you actually specify it it'll probably be sent to the VPN client and I have no idea what the VPN client would do with a "deny any" split-tunnel list (quite possibly not tunnel anything, which is what you're seeing).
I have try to make the acl without "deny ip any any"
but it still doesn'y work yet~
here's the show acl result:
access-list 100 permit ip host 10.1.1.250 10.7.1.0 255.255.255.0 (hitcnt=0)
access-list 100 deny ip any any (hitcnt=397977)
all the packet hadn't been encrypt>_<
Can you post the whole PIX config so we can see what's going on here. Make sure to xxxxx out your passwords and outside IP address.
I absolutely have the exact same problem described. VPN is not working when Split Tunneling is enabled.
Our PIX Firewall is a 6.2(2) and VPN Client is 3.6.3(a)
This is our configuration (checked multiple times on Cisco website):
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 Stateful_Failover security99
nameif ethernet3 isa_lan security70
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
access-list inside_access_in permit .....
access-list inside_access_in deny ip any any
access-list outside_access_in permit tcp ....
access-list outside_access_in permit tcp 172.17.100.0 255.255.255.0 host WEB_SERVER_2 object-group Web_Services
access-list outside_access_in permit tcp 172.17.100.0 255.255.255.0 host NAME_SERVER1 eq domain
access-list outside_access_in permit udp 172.17.100.0 255.255.255.0 host NAME_SERVER1 eq domain
access-list outside_access_in permit tcp 172.17.100.0 255.255.255.0 host NAME_SERVER2 eq domain
access-list outside_access_in permit udp 172.17.100.0 255.255.255.0 host NAME_SERVER2 eq domain
access-list outside_access_in deny ip any any
access-list inside_outbound_nat0_acl permit ip NET_SECURED 255.255.255.0 172.17.100.0 255.255.255.0
access-list outside_cryptomap_dyn_20 permit ip NET_SECURED 255.255.255.0 172.17.100.0 255.255.255.0
access-list VPN_USERS_splitTunnelAcl permit ip NET_SECURED 255.255.255.0 172.17.100.0 255.255.255.0
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 100full
interface ethernet3 100basetx
mtu outside 1500
mtu inside 1500
mtu Stateful_Failover 1500
ip address outside XXX.XXX.XXX.XXX 255.255.255.0
ip address inside YYY.YYY.YYY.YYY 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit info action alarm
ip audit attack action alarm
ip local pool pool_FOR_VPN 172.17.100.1-172.17.100.254
arp timeout 14400
global (outside) 1 XXX.XXX.XXX.AAA-XXX.XXX.XXX.BBB netmask 255.255.255.0
global (outside) 1 XXX.XXX.XXX.CCC
global (outside) 3 XXX.XXX.XXX.DDD
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 3 PROXY 255.255.255.255 0 0
nat (inside) 1 NET_SECURED 255.255.0.0 0 0
static (inside,outside) XXX.XXX.XXX.EEE WEB_SERVER_2 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 KKK.KKK.KKK.KKK
timeout xlate 5:00:00
timeout conn 5:00:00 half-closed 0:30:00 udp 0:30:00 rpc 0:30:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 4:00:00 absolute
sysopt connection permit-ipsec
sysopt noproxyarp inside
sysopt noproxyarp Stateful_Failover
no sysopt route dnat
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
crypto map outside_map 20 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup VPN_TEST address-pool pool_FOR_VPN
vpngroup VPN_TEST dns-server YYY.YYY.YYY.200 YYY.YYY.YYY.201
vpngroup VPN_TEST split-tunnel VPN_USERS_splitTunnelAcl
vpngroup VPN_TEST idle-time 1800
vpngroup VPN_TEST password ********
HI, I think we could manage to solve our problem.
We were trying to do the VPN connection using Windows XP Professional and a Remote Access Connection.
If the Remote Access Connection has the "Internet Firewall" Turned On (this feature doesn't exist in Windows 2000 Remote Access), the VPN works fine without the Split Tunnel but does not work with the Split Tunnel (as you said).
Turning off the "Internet Firewall" solves the problem !!! (Advanced Properties of the Remote Access COnnection).
Hope it helps