Your firewall is wide open with this config. The defined interersting traffic is too much. I assume you have the vpngroup cotageworker password xxxx statement setup on your config? I do not see anything wrong with the config other than there is too much interesting traffic and your firewall is not secure (of course, this is based on if you have the correct isakmp policy and crypto map; and the routing setup correctly).
Interesting traffic, in this case is the information that is shot to your vpn client from the split-tunnel config in the vpngroup. In your first post, your telling the client to encrypt ALL ip (TCP,UDP). Now when you try to surf the web, your web traffic gets encrypted and goes through the vpn tunnel to the PIX. Packets coming in one interface on a PIX, can not turn around and go out the same so your web traffic is dropped. Now, lets say your inside network is 192.168.1.0, and your vpn address pool is 172.16.1.0. You would setup your split-tunnel access to say, anything that is heading from 172.16.1.0, going to 192.168.1.0 encrypt that traffic and send it across the vpn tunnel. Now when you jump on the web and go to yahoo.com, your machine does a dns lookup and finds that the ip address of that web site is 10.10.10.10, the client looks at that ip and says, I am not going to encrypt that traffic because its not in the 192.168.1.0 subnet. It then sends that traffic out your machines default gateway unencrypted and not through the vpn tunnel.
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...