11-25-2013 01:05 AM
I have an old PIX, running version 6.3. Its version cannot be upgraded due to hardware limitation.
I am setting up IPSEC VPN, with split-tunnel disabled.
However, the client was not able to connect to Internet.
Below is part of the configuration.
ip local pool internetvpn1 10.30.11.1-10.30.11.7
vpngroup internetvpn1address-pool internetvpn1
vpngroup internetpub1 dns-server 123.4.5.6
vpngroup internetpub1 idle-time 86400
vpngroup internetpub1 password *********
I can login to VPN Client, but when I do nslookup, PIX will show log as below
110001: No route to 123.4.5.6 from 10.30.11.1
110001: No route to 123.4.5.6 from 10.30.11.1
Anybody have any idea?
11-25-2013 03:27 AM
I just found out that in version 6.x, traffic cannot pass through when the security level are the same.
For VPN Client, user traffic came from outside interface.
If split-tunneling is disabled and user want to access Internet, it has to go out from outside interface as well.
As "same-security-traffic permit inter-interface" is not available in 6.x, it become impossilbe for VPN client to access Internet, when split-tunneling is disabled.
Am I correct?
12-17-2013 06:39 PM
I upgraded firewall to version 7.0 and problem resolved.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide