Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

VPN3005---PIX506 using NEM & RRI with split-tunnel

following design is given

VPN3005(central)---Tunnel-------PIX506(remote) network-extension-mode&RRI

A VPN Client (PC) connects to VPN3005 and wants to reach server on PIX506 site over the tunnel from 3005 to PIX506.

At same time Users on LAN Pix506 want to use Internet directly-which means

split-tunneling has to be used.

On VPN3005 under IProuting --RRI---- network-extension RRI and

Client RRI is enabled.

The connectivity from LAN(central) to LAN(remote) is given, but RRI for

VPN Client(PC) (wants to connect to server on remote LAN) is not possible,

if split-tunneling for ezvpn(PIX506) is used.

It works, if you tunnel everything !!

Question:

Is this not possible, cause this feature(EZVPN+RRI+split-tunnel) is not implemented or should this thing work though ???

(Same behave with a real HW3002)

btw. VPNConc3.6.7(3.6.3,3.6.5,3.6.7A), HW3002 3.6.7, PIX 6.2.2(6.3.136beta)

Images in brackets were also tested with same behave.

Thank you for help & information

about this thing in advance.

Kind regards,

Stefan

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: VPN3005---PIX506 using NEM & RRI with split-tunnel

Do you have the VPN client pool of addresses in the split tunnel list for the PIX? The trouble with doing split tunnelling is that traffic has to be initiated from behind the PIX for that network first, only then is that particular SA built for that particular network subnet. If you're trying to connect over a client, or even from the LAN behind the 3005 (same thing in theory), then unless someone behind the PIX has sent traffic to that subnet first, your traffic is not going to get there.

When split tunneling is not used, the PIX automatically builds the SA for all networks, and that's why you can then ping those hosts from a VPN client (or from the the LAN behind the 3005).

Do a simple test and start a VPN client connection to the 3005, making sure the pool of addresses is in the PIX split-tunnel list. If you try and ping from the client to the PIX network it won't work. Now have someone from behind the PIX ping the VPN client address, you'll probably lose the first one or two packets but then it should answer OK. NOW, from the VPN client try and ping the PIX network, this should work now, because the PIX has built the tunnel for the pool of addresses.

3 REPLIES
Cisco Employee

Re: VPN3005---PIX506 using NEM & RRI with split-tunnel

Do you have the VPN client pool of addresses in the split tunnel list for the PIX? The trouble with doing split tunnelling is that traffic has to be initiated from behind the PIX for that network first, only then is that particular SA built for that particular network subnet. If you're trying to connect over a client, or even from the LAN behind the 3005 (same thing in theory), then unless someone behind the PIX has sent traffic to that subnet first, your traffic is not going to get there.

When split tunneling is not used, the PIX automatically builds the SA for all networks, and that's why you can then ping those hosts from a VPN client (or from the the LAN behind the 3005).

Do a simple test and start a VPN client connection to the 3005, making sure the pool of addresses is in the PIX split-tunnel list. If you try and ping from the client to the PIX network it won't work. Now have someone from behind the PIX ping the VPN client address, you'll probably lose the first one or two packets but then it should answer OK. NOW, from the VPN client try and ping the PIX network, this should work now, because the PIX has built the tunnel for the pool of addresses.

Community Member

Re: VPN3005---PIX506 using NEM & RRI with split-tunnel

yes, our vpn client gets a static IP from ACS server via Radius

and all client addresses are within the network list.

Okay, good information about SA setups.

I will built a test setup with PIX501 and HW3002 to VPN3005 to

test this thing, though this will not a solution for this customer setup,

cause the server will not ping this client address(es) all the time...

Thx this time,

I will hopefully have an answer till Thursday.

Regards,

Stefan

Community Member

Re: VPN3005---PIX506 using NEM & RRI with split-tunnel

getting the devices for testing took longer as assumed.

(I have to tune the network list to keep the thing running....)

So again, thanks for your advice.;-)

Stefan

98
Views
0
Helpful
3
Replies
CreatePlease to create content