07-30-2007 08:29 AM
New Site installation of PIX ASA 5520 - Remote VPN clients authenticate and have access to internal network, with IP derived from internal IP pool. When a remote web site requires IP authentication and is added to split tunneling, the user cannot contact the site. Remove the site from split tunneling and they can contact the site, but are refused (IP authentication) because they are not using the tunnel and are therefore, not using an internal network IP, but the IP from their local ISP.
thanks for any help
07-30-2007 09:49 AM
Would nating the remote clients to the outside interface of the ASA get you past the authentication? Where is the server which requires authentication located, inside or outside of ASA?
07-30-2007 10:09 AM
all servers that require IP authentication are OUTSIDE the PIX. Remote user tunnel is into the OUTSIDE interface and with split tunneling the request must return thru the OUTSIDE interface. If they don't use split tunneling the request emminates from their remote PC thru their ISP and successfully reaches the outside host, but the source IP won't authenticate.
I suppose the biggest question I have (lucent background) is where exactly "in the greater scheme of things" does a vpn client reside (ie-the tunnel end point).
\thanks
07-30-2007 10:15 AM
Hi Robert,
You can use below document and troubleshooting mathod.
Still you have problem please give me LOG and configuration:
Regards,
Dharmesh Purohit
07-30-2007 10:24 AM
There is another option other than split tunneling. Take a look here...
You can tunnel all traffic and nat the remote clients on the outside of the ASA. Therefore the source address of the request to the server would be from your main site, not the remote site. The .doc is for remote access vpn clients but is the same for lan 2 lan.
07-31-2007 07:11 AM
to all who responded to this: thanks for the suggestions. Turned out adding new :Hair-Pin config:
same-security-traffic permit intra-interface
or
clicking on asdm vpn setup - Permit communication between vpn peers.....
solved the problem
This allows tunnel traffic to exit the same interface it entered.
thanks again
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide