01-29-2012 12:47 PM
Split tunnel is not working properly. When I am changing split tunnel policy to tunnel-specified .At that time I am not able to access the intenal LAN. When I am making it to tunnel-all , I am able to access the LAN. I require both Internet & LAN at the same time . Please help
access-list NONAT extended permit ip 172.16.100.0 255.255.255.0 172.16.0.0 255.255.255.0
access-list NONAT extended permit ip 172.16.100.0 255.255.255.0 10.0.0.0 255.0.0.0
access-list NONAT extended permit ip 172.16.100.0 255.255.255.0 192.168.0.0 255.255.0.0
access-list NONAT extended permit ip 10.2.2.0 255.255.255.0 172.16.0.0 255.255.0.0
access-list NONAT extended permit ip 10.2.2.0 255.255.255.0 10.0.0.0 255.0.0.0
access-list NONAT extended permit ip 10.2.2.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list NONAT extended permit ip 192.168.19.0 255.255.255.0 10.0.0.0 255.0.0.0
access-list NONAT extended permit ip 192.168.19.0 255.255.255.0 172.16.0.0 255.255.0.0
access-list NONAT extended permit ip 192.168.19.0 255.255.255.0 192.168.0.0 255.255.0.0
access-list NONAT extended permit ip 192.168.19.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list NONAT extended permit ip any 172.16.100.0 255.255.255.0
access-list INTERNET extended permit icmp any any
access-list yatravpn_splitTunnelAcl standard permit 172.16.100.0 255.255.255.0
access-list yatravpn_splitTunnelAcl standard permit 172.16.0.0 255.255.0.0
----------------------------------------------------------------------------------------------------
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set reverse-route
crypto map INTERNET_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map INTERNET_map interface INTERNET
crypto isakmp enable INTERNET
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
group-policy yatravpn internal
group-policy yatravpn attributes
dns-server value 192.168.32.104 192.168.28.14
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelall
split-tunnel-network-list value yatravpn_splitTunnelAcl
default-domain value xyz.com
vpn-group-policy yatravpn
tunnel-group yatravpn type remote-access
tunnel-group yatravpn general-attributes
address-pool yatrapool
default-group-policy yatravpn
tunnel-group yatravpn ipsec-attributes
pre-shared-key *
Regards,
HARI
01-29-2012 03:30 PM
Your command:
split-tunnel-policy tunnelall
should be:
split-tunnel-policy tunnelspecified
also, in your acl the second line is all you need since it is a superset of the first:
access-list yatravpn_splitTunnelAcl standard permit 172.16.100.0 255.255.255.0
access-list yatravpn_splitTunnelAcl standard permit 172.16.0.0 255.255.0.0
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide