Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Split tunneling

Currently, i am using PIX 501and VPN 3000. At first, my vpn client cannot access the internet once they logged in via Cisco system vpn client and so i enable split tunneling. Now the clients are able to access the internet but cannot access the internal server. does anyone knows what went wrong. Pls Help...

Thank you

1 ACCEPTED SOLUTION

Accepted Solutions
Gold

Re: Split tunneling

the overlapping needs to be fixed first. and these two commands should be applied as well.

isakmp identity address

isakmp nat-traversal 20

7 REPLIES
Gold

Re: Split tunneling

please post the entire config with public ip masked.

New Member

Re: Split tunneling

enable password ********** encrypted

passwd ********** encrypted

hostname Firewall

domain-name aqswdefrgt.com.sg

access-list 100 permit ip 192.168.1.0 255.255.255.0 192.168.50.0 255.255.255.0

access-list nat permit tcp any host 65.165.123.142 eq smtp

access-list nat permit tcp any host 65.165.123.142 eq pop3

access-list nat permit tcp any host 65.165.123.143 eq smtp

access-list nat permit tcp any host 65.165.123.143 eq pop3

access-list nat permit tcp any host 65.165.123.143 eq www

access-list nat permit tcp any host 65.165.123.152 eq smtp

access-list nat permit tcp any host 65.165.123.152 eq pop3

access-list nat permit tcp any host 65.165.123.152 eq www

access-list nat permit tcp any host 65.165.123.143 eq https

access-list nat permit icmp any any

ip address outside 65.165.123.4 255.255.255.240

ip address inside 192.168.1.2 255.255.255.0

ip verify reverse-path interface outside

ip local pool clientpool 192.168.1.40-192.168.1.49

global (outside) 1 interface

nat (inside) 0 access-list 100

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp 65.165.123.142 smtp 192.168.1.56 smtp netmask 255.255.2

55.255 0 0

static (inside,outside) tcp 65.165.123.142 pop3 192.168.1.56 pop3 netmask 255.255.2

55.255 0 0

static (inside,outside) tcp 65.165.123.143 smtp 192.168.1.55 smtp netmask 255.255.2

55.255 0 0

static (inside,outside) tcp 65.165.123.143 pop3 192.168.1.55 pop3 netmask 255.255.2

55.255 0 0

static (inside,outside) tcp 65.165.123.143 www 192.168.1.55 www netmask 255.255.255

.255 0 0

static (inside,outside) tcp 65.165.123.152 smtp 192.168.1.76 smtp netmask 255.255.

255.255 0 0

static (inside,outside) tcp 65.165.123.152 pop3 192.168.1.76 pop3 netmask 255.255.

255.255 0 0

static (inside,outside) tcp 65.165.123.152 www 192.168.1.76 www netmask 255.255.25

5.255 0 0

static (inside,outside) tcp 65.165.123.143 https 192.168.1.55 https netmask 255.255

.255.255 0 0

access-group nat in interface outside

route outside 0.0.0.0 0.0.0.0 65.165.123.1 1

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

aaa-server plexus protocol radius

aaa-server plexus (inside) host 192.168.1.55 ******** timeout 5

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto dynamic-map cisco 1 set transform-set myset

crypto map dyn-map 20 ipsec-isakmp dynamic cisco

crypto map dyn-map client authentication plexus

crypto map dyn-map interface outside

isakmp enable outside

isakmp key ******** address 0.0.0.0 netmask 0.0.0.0

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

isakmp policy 40 authentication pre-share

isakmp policy 40 encryption 3des

isakmp policy 40 hash md5

isakmp policy 40 group 2

isakmp policy 40 lifetime 86400

vpngroup vpn3000 address-pool clientpool

vpngroup vpn3000 dns-server 192.168.1.55

vpngroup vpn3000 wins-server 192.168.1.55

vpngroup vpn3000 default-domain aqswdefrgt.com.sg

vpngroup vpn3000 idle-time 1800

vpngroup vpn3000 password ********

telnet 192.168.1.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

terminal width 80

Gold

Re: Split tunneling

one critical thing is that the vpn client pool should not be overlapped with the pix inside net.

New Member

Re: Split tunneling

I had already take note of that. Beside that what else went wrong?

Gold

Re: Split tunneling

the overlapping needs to be fixed first. and these two commands should be applied as well.

isakmp identity address

isakmp nat-traversal 20

New Member

Re: Split tunneling

Thanks for the infor. i will try it out later.

New Member

Re: Split tunneling

Due to the limited characters for each message, i can only post the partial configure. But all these are the most important part.

224
Views
0
Helpful
7
Replies
CreatePlease to create content