Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
939
Views
0
Helpful
7
Replies

Split tunneling

Go to solution
aqswdefrgt
Level 1
Level 1

‎12-07-2005 09:49 PM - edited ‎02-21-2020 12:34 AM

Currently, i am using PIX 501and VPN 3000. At first, my vpn client cannot access the internet once they logged in via Cisco system vpn client and so i enable split tunneling. Now the clients are able to access the internet but cannot access the internal server. does anyone knows what went wrong. Pls Help...

Thank you

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
jackko
Level 7
Level 7
In response to aqswdefrgt

‎12-08-2005 06:37 PM

the overlapping needs to be fixed first. and these two commands should be applied as well.

isakmp identity address

isakmp nat-traversal 20

View solution in original post

0 Helpful
7 Replies 7

Go to solution
jackko
Level 7
Level 7

‎12-07-2005 11:06 PM

please post the entire config with public ip masked.

0 Helpful

Go to solution
aqswdefrgt
Level 1
Level 1
In response to jackko

‎12-08-2005 12:46 AM

enable password ********** encrypted

passwd ********** encrypted

hostname Firewall

domain-name aqswdefrgt.com.sg

access-list 100 permit ip 192.168.1.0 255.255.255.0 192.168.50.0 255.255.255.0

access-list nat permit tcp any host 65.165.123.142 eq smtp

access-list nat permit tcp any host 65.165.123.142 eq pop3

access-list nat permit tcp any host 65.165.123.143 eq smtp

access-list nat permit tcp any host 65.165.123.143 eq pop3

access-list nat permit tcp any host 65.165.123.143 eq www

access-list nat permit tcp any host 65.165.123.152 eq smtp

access-list nat permit tcp any host 65.165.123.152 eq pop3

access-list nat permit tcp any host 65.165.123.152 eq www

access-list nat permit tcp any host 65.165.123.143 eq https

access-list nat permit icmp any any

ip address outside 65.165.123.4 255.255.255.240

ip address inside 192.168.1.2 255.255.255.0

ip verify reverse-path interface outside

ip local pool clientpool 192.168.1.40-192.168.1.49

global (outside) 1 interface

nat (inside) 0 access-list 100

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp 65.165.123.142 smtp 192.168.1.56 smtp netmask 255.255.2

55.255 0 0

static (inside,outside) tcp 65.165.123.142 pop3 192.168.1.56 pop3 netmask 255.255.2

55.255 0 0

static (inside,outside) tcp 65.165.123.143 smtp 192.168.1.55 smtp netmask 255.255.2

55.255 0 0

static (inside,outside) tcp 65.165.123.143 pop3 192.168.1.55 pop3 netmask 255.255.2

55.255 0 0

static (inside,outside) tcp 65.165.123.143 www 192.168.1.55 www netmask 255.255.255

.255 0 0

static (inside,outside) tcp 65.165.123.152 smtp 192.168.1.76 smtp netmask 255.255.

255.255 0 0

static (inside,outside) tcp 65.165.123.152 pop3 192.168.1.76 pop3 netmask 255.255.

255.255 0 0

static (inside,outside) tcp 65.165.123.152 www 192.168.1.76 www netmask 255.255.25

5.255 0 0

static (inside,outside) tcp 65.165.123.143 https 192.168.1.55 https netmask 255.255

.255.255 0 0

access-group nat in interface outside

route outside 0.0.0.0 0.0.0.0 65.165.123.1 1

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

aaa-server plexus protocol radius

aaa-server plexus (inside) host 192.168.1.55 ******** timeout 5

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto dynamic-map cisco 1 set transform-set myset

crypto map dyn-map 20 ipsec-isakmp dynamic cisco

crypto map dyn-map client authentication plexus

crypto map dyn-map interface outside

isakmp enable outside

isakmp key ******** address 0.0.0.0 netmask 0.0.0.0

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

isakmp policy 40 authentication pre-share

isakmp policy 40 encryption 3des

isakmp policy 40 hash md5

isakmp policy 40 group 2

isakmp policy 40 lifetime 86400

vpngroup vpn3000 address-pool clientpool

vpngroup vpn3000 dns-server 192.168.1.55

vpngroup vpn3000 wins-server 192.168.1.55

vpngroup vpn3000 default-domain aqswdefrgt.com.sg

vpngroup vpn3000 idle-time 1800

vpngroup vpn3000 password ********

telnet 192.168.1.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

terminal width 80

0 Helpful

Go to solution
jackko
Level 7
Level 7
In response to aqswdefrgt

‎12-08-2005 01:39 AM

one critical thing is that the vpn client pool should not be overlapped with the pix inside net.

0 Helpful

Go to solution
aqswdefrgt
Level 1
Level 1
In response to jackko

‎12-08-2005 05:14 PM

I had already take note of that. Beside that what else went wrong?

0 Helpful

Go to solution
jackko
Level 7
Level 7
In response to aqswdefrgt

‎12-08-2005 06:37 PM

the overlapping needs to be fixed first. and these two commands should be applied as well.

isakmp identity address

isakmp nat-traversal 20

0 Helpful

Go to solution
aqswdefrgt
Level 1
Level 1
In response to jackko

‎12-08-2005 07:03 PM

Thanks for the infor. i will try it out later.

0 Helpful

Go to solution
aqswdefrgt
Level 1
Level 1
In response to jackko

‎12-08-2005 12:51 AM

Due to the limited characters for each message, i can only post the partial configure. But all these are the most important part.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card