Hi,
I am trying to let the remote pc access the internet via w/o tunneling the traffic to the PIX and tunnel only traffic to the PIX destined for the LANs behind it.
I am confused on the use of the splt tunnel acl and if there is a need for client configuration address initiate command. With the current config, it looks like all traffic is being tunneled. I can access the LANs behind the pix but not the internet.
Below is the relevant config. The client local LAN segments are the 10.81.129.. 10.71.129.. and 10.81.160...
access-list split-tunnel permit ip any 10.0.0.0 255.0.0.0
access-list nonat permit ip 10.81.129.0 255.255.255.0 10.81.161.0 255.255.255.0
access-list nonat permit ip 10.71.129.0 255.255.255.0 10.81.161.0 255.255.255.0
access-list nonat permit ip 10.81.160.0 255.255.255.0 10.81.161.0 255.255.255.0
ip local pool pix-vpnclient-pool 10.81.161.10-10.81.161.254 mask 255.255.255.0
crypto ipsec transform-set 256sha2 esp-aes-256 esp-sha-hmac
crypto dynamic-map vpnclient 200 set transform-set 256sha2
crypto map sfhp 200 ipsec-isakmp dynamic vpnclient
crypto map sfhp interface outside
isakmp enable outside
isakmp identity address
isakmp keepalive 10
isakmp nat-traversal 20
isakmp policy 100 authentication pre-share
isakmp policy 100 encryption aes-256
isakmp policy 100 hash sha
isakmp policy 100 group 2
isakmp policy 100 lifetime 14400
vpngroup RA1-SFHG address-pool pix-vpnclient-pool
vpngroup RA1-SFHG dns-server 10.81.129.233 10.81.129.234
vpngroup RA1-SFHG wins-server 10.81.129.233
vpngroup RA1-SFHG split-tunnel split-tunnel
vpngroup RA1-SFHG pfs
vpngroup RA1-SFHG idle-time 7700
vpngroup RA1-SFHG password ********
nat (inside) 0 access-list nonat
nat (www) 0 access-list nonat
nat (voip) 0 access-list nonat