Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member


I have a PIX 515 with three network interface (outside, inside and dmz). Also the remote users use VPN Client 3.5 to get to the inside network and internet. Split Tunnel is configure and is working. The VPN client can get to the Inside network fine, use VNC and other applications but cannot use any service on the Dmz network except ping. Meaning cannot open the web server on the Dmz but can ping it. Cannot use VNC etc to the DMZ but can use it to the Inside. Is my configuration mising something or the PIX can only split trafic to inside and internet.

Community Member

Re: Split-Tunnel

I got the fix. The access-list name or number use for VPN from the Client to the inside and dmz must be different. Also the access-list applied to the VPN group for Split-Tunnel must be the same with the inside. Example below:

access-list 150 permit ip "inside network" "vpn client pool"

access-list 160 permit ip "dmz network" "vpn client pool"

nat (inside) 0 access-list 150

nat (dmz) 0 access-list 160

vpngroup "name" split-tunnel 150

Community Member

Re: Split-Tunnel

The above solution is not the fix. I can ping the host on the DMZ but I cannot establish any tcp or udp connection. I thought I got the fix but I am wrong. I need urgent input. S.O.S.

Community Member

Re: Split-Tunnel

Actually , you are very close to find the fix:

combining 150 and 160 into one access-list and apply to inside and dmz interface as well as the split-tunnel access-list.

The fix is as below:

access-list 150 permit ip "inside network" "vpn client pool"

access-list 150 permit ip "dmz network" "vpn client pool"

nat (inside) 0 access-list 150

nat (dmz) 0 access-list 150

vpngroup "name" split-tunnel 150

Best Regards,

Community Member

Re: Split-Tunnel

This is the configuration I had. I can ping the host IP on the DMZ but I cannot open any TCP/UDP session like WWW, VNC or TFTP. I can do this with host on the INSIDE. The only service from the VPN Cleint to the DMZ is ICMP Ping.

Community Member

Re: Split-Tunnel

Would you kindly check the access-list applied to the DMZ interface ?

If you can ping the host in DMZ, that means something block the traffic in the DMZ interface.

If you like, you can upload the PIX config and we have a check for you.

Best Regards,

Community Member

Re: Split-Tunnel

Thanks. Below is the config. I think the problem has to do with "Asymmetric Routing" which is not supported on the PIX. When the Clients initiate a VPN connection the Client is virtualy put on the Inside network so when the PIX Firewall detects the same connection arriving on a perimeter interface, the PIX Firewall has more than one path to a destination. The PIX thinks an attacker is attempting to append packets from one connection to another as a way to break into the PIX Firewall and drops the connection.


PIX Version 6.1(1)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 dmz security50

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

fixup protocol domain 53


access-list 101 permit ip

access-list 101 permit ip

access-list acl_inbound permit tcp any host eq www

access-list acl_inbound permit udp any host eq tftp

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto

mtu outside 1500

mtu inside 1500

mtu dmz 1500

ip address outside

ip address inside

ip address dmz

ip local pool remote

global (outside) 2

nat (inside) 0 access-list 101

nat (inside) 2 0 0

nat (dmz) 0 access-list 101

static (inside,dmz) netmask 0 0

static (dmz,outside) netmask 0 0

static (dmz,outside) netmask 0 0

access-group acl_inbound in interface outside

route outside 1

crypto ipsec transform-set remoteset esp-des esp-md5-hmac

crypto dynamic-map remote 2 set transform-set remoteset

crypto map mymap 2 ipsec-isakmp dynamic remote

crypto map mymap client configuration address initiate

crypto map mymap interface outside

isakmp enable outside

isakmp key ******** address netmask

isakmp identity address

isakmp client configuration address-pool local remote outside

isakmp policy 8 authentication pre-share

isakmp policy 8 encryption des

isakmp policy 8 hash md5

isakmp policy 8 group 2

isakmp policy 8 lifetime 86400

vpngroup xxx address-pool remote

vpngroup xxx dns-server

vpngroup xxx wins-server

vpngroup xxx default-domain

vpngroup xxx split-tunnel 101

vpngroup xxx idle-time 2100

vpngroup xxx password ********

CreatePlease to create content