Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

PIX ASA 5520 VPN Split-Tunneling problem

New Site installation of PIX ASA 5520 - Remote VPN clients authenticate and have access to internal network, with IP derived from internal IP pool. When a remote web site requires IP authentication and is added to split tunneling, the user cannot contact the site. Remove the site from split tunneling and they can contact the site, but are refused (IP authentication) because they are not using the tunnel and are therefore, not using an internal network IP, but the IP from their local ISP.

thanks for any help


Re: PIX ASA 5520 VPN Split-Tunneling problem

Would nating the remote clients to the outside interface of the ASA get you past the authentication? Where is the server which requires authentication located, inside or outside of ASA?

Community Member

Re: PIX ASA 5520 VPN Split-Tunneling problem

all servers that require IP authentication are OUTSIDE the PIX. Remote user tunnel is into the OUTSIDE interface and with split tunneling the request must return thru the OUTSIDE interface. If they don't use split tunneling the request emminates from their remote PC thru their ISP and successfully reaches the outside host, but the source IP won't authenticate.

I suppose the biggest question I have (lucent background) is where exactly "in the greater scheme of things" does a vpn client reside (ie-the tunnel end point).



Re: PIX ASA 5520 VPN Split-Tunneling problem

Hi Robert,

You can use below document and troubleshooting mathod.

Still you have problem please give me LOG and configuration:


Dharmesh Purohit


Re: PIX ASA 5520 VPN Split-Tunneling problem

There is another option other than split tunneling. Take a look here...

You can tunnel all traffic and nat the remote clients on the outside of the ASA. Therefore the source address of the request to the server would be from your main site, not the remote site. The .doc is for remote access vpn clients but is the same for lan 2 lan.

Community Member

Re: PIX ASA 5520 VPN Split-Tunneling problem

to all who responded to this: thanks for the suggestions. Turned out adding new :Hair-Pin config:

same-security-traffic permit intra-interface


clicking on asdm vpn setup - Permit communication between vpn peers.....

solved the problem

This allows tunnel traffic to exit the same interface it entered.

thanks again

CreatePlease to create content