I am trying to configure Split Tunneling on my Cisco 3005 VPN Concentrator. The concentrator is running IOS version 3.6.7. The remote system I am trying to connect is a WinXP Pro SP1 system running version 3.6.3(A) of the Cisco VPN Client.
As a test, I disconnect my laptop from the network, dial my ISP manually, then establish a VPN connection using the Cisco client. As long as I don't have Split Tunneling turned on (my group is set to tunnel everything), all traffic passes through the tunnel fine.
The moment I switch on split tunneling (by selecting the "Only tunnel networks in the list" option), all tunnel traffic is discarded. In the VPN Client Status > Statistics page, I can see all of my internal networks (that I've defined in a Network List on the 3005) listed under "Secured Routes." Traffic to destined for my ISP passes fine, but anything sent over the tunnel shows up as a discarded packet. There are very few encrypts and decrypts, and I would imagine that all of those that I'm seeing are tunnel maintenance packets.
Thanks for your reply. I checked my subnet masks. They appear to be OK. Just to clarify, we have multiple 10.x.x.x internal networks, so I used the following IP/wildcard entry in my Network List:
I wasn't sure what you meant by 'do not use the "vpn client default" option'. Did you mean do not use the default network list? If so, I tried creating a second list and configured my group to use that list, with no improvement.
I noticed one more thing that looks out of place that may be causing this problem. On the general tab of my VPN Client connection status, 'Local LAN access' is showing up as 'Disabled' even though I checked the box next to 'Allow local LAN access' when I setup the VPN connection. Not sure if this is normal or not, but it seems odd to me.
if you have multiple networks i.e. 10.1.1.0, 10.1.2.0, 10.1.3.0
it would seem as though defining a mask of 0.255.255.255 would cover them all with no problem, but in my experiences i usually define each subnet (yes, tedious, but it works for me). Make sure that the subnet masks defined in the Routing Table on the Concentrator are a mirror of the routes that you define access to using split tunnelling (Monitoring | Routing Table). If your Routing Table has a route to each subnet, I would define the split tunnel list in the same fashion (subnet mask-wise). If this is the case, test by creating a seperate Split Tunnel Network List for just one of your subnets, configure a test group to use that list 'Only Tunnel ....' , connect to the vpn and ping a pc on that subnet.
Where i currently, work the vpn clients only need access to 1 subnet, so that is the only one that ipsec will protect via split tunneling (ipsec mode config only gives access for that subnet, i.e, 10.1.1.0 0.0.0.255).
as far as the "VPN Client Local LAN (Default)" option, it is under Config | Policy Mgnt | Traffic Mgnt | Network Lists". I am also running 3.6, I recently upgraded from 3.1.
also uncheck the 'Local LAN Access' box and make sure your tcp or udp port #'s match (on client and Concentrator, if using IPSec over UDP/TCP)
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...