Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN client unable to access Internert via split tunneling.

I have split tunneling configured on a PIX 515. The remote VPN client connects to the PIX fine and can ping hosts on the internal LAN, but cannot access the Internet. Am I missing something? My config as per below.

Also, I don't see any secured routes on the VPN client via Statistics (screen shot below)

Capture.JPG

Any advice is much appreciated.

Rob

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------

PIX Version 8.0(3)

!

hostname PIX-A-250

enable password xxxxx encrypted

names

!

interface Ethernet0

nameif outside

security-level 0

ip address x.x.x.250 255.255.255.240

!

interface Ethernet1

nameif inside

security-level 100

ip address 192.168.9.1 255.255.255.0

!

passwd xxxxx encrypted

ftp mode passive

dns domain-lookup outside

dns server-group Ext_DNS

name-server 194.72.6.57

name-server 194.73.82.242

object-group network LOCAL_LAN

network-object 192.168.9.0 255.255.255.0

network-object 192.168.88.0 255.255.255.0

object-group service Internet_Services tcp

port-object eq www

port-object eq domain

port-object eq https

port-object eq ftp

port-object eq 8080

port-object eq telnet

object-group network WAN_Network

network-object 192.168.200.0 255.255.255.0

access-list ACLOUT extended permit udp object-group LOCAL_LAN any eq domain log

access-list ACLOUT extended permit icmp object-group LOCAL_LAN any log

access-list ACLOUT extended permit tcp object-group LOCAL_LAN any object-group Internet_Services log

access-list ACLIN extended permit icmp any any echo-reply log

access-list ACLIN extended permit icmp any any unreachable log

access-list ACLIN extended permit icmp any any time-exceeded log

access-list split_tunnel_list remark Local LAN

access-list split_tunnel_list standard permit 192.168.9.0 255.255.255.0

access-list NONAT extended permit ip object-group LOCAL_LAN 192.168.100.0 255.255.255.0

pager lines 24

logging enable

mtu outside 1500

mtu inside 1500

ip local pool testvpn 192.168.100.1-192.168.100.99

no failover  

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list NONAT

nat (inside) 1 0.0.0.0 0.0.0.0

access-group ACLIN in interface outside

access-group ACLOUT in interface inside

route outside 0.0.0.0 0.0.0.0 195.171.252.45 1

route inside 192.168.88.0 255.255.255.0 192.168.88.254 1

route inside 192.168.199.0 255.255.255.0 192.168.199.254 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

http server enable

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set Set_1 esp-3des esp-sha-hmac

crypto dynamic-map outside_dyn_map 10 set transform-set Set_1

crypto dynamic-map outside_dyn_map 10 set security-association lifetime seconds 280000

crypto dynamic-map outside_dyn_map 10 set reverse-route

crypto map outside_map 10 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 1

authentication pre-share

encryption 3des

hash sha    

group 2     

lifetime 43200

crypto isakmp policy 65535

authentication pre-share

encryption 3des

hash sha    

group 2     

lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

group-policy testvpn internal

group-policy testvpn attributes

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

username testuser password xxxxxx encrypted

tunnel-group testvpn type remote-access

tunnel-group testvpn general-attributes

address-pool testvpn

default-group-policy testvpn

tunnel-group testvpn ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny 

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip 

  inspect xdmcp

  inspect icmp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:5dcb5dcdff277e1765a9a0c366b88b9e

: end

PIX-A-250#

Everyone's tags (7)
2 ACCEPTED SOLUTIONS

Accepted Solutions
Cisco Employee

VPN client unable to access Internert via split tunneling.

You have not assigned the split tunnel ACL to your policy.

Pls configure the following:

group-policy testvpn attributes

   split-tunnel-network-list value split_tunnel_list

Cisco Employee

VPN client unable to access Internert via split tunneling.

You've changed your NAT exemption from the original config, that's why it's not working.

Pls add the following ACL:

access-list inside_nat0_outbound extended permit ip 192.168.88.0 255.255.255.0 192.168.100.0 255.255.255.0

28 REPLIES
Cisco Employee

VPN client unable to access Internert via split tunneling.

You have not assigned the split tunnel ACL to your policy.

Pls configure the following:

group-policy testvpn attributes

   split-tunnel-network-list value split_tunnel_list

New Member

VPN client unable to access Internert via split tunneling.

Hi Jennifer,

Thank you for your reply. I must have missed the configuration. I could see the secure networks appear in the secured routes in the VPN client after inserting the missing line of config.

Thank you very much for spotting my mistake.

Regards,

Robert

Cisco Employee

VPN client unable to access Internert via split tunneling.

No problem. Pls kindly mark the post as answered so others can learn from your question. Thank you.

New Member

VPN client unable to access Internert via split tunneling.

Hi Jennifer,

I have added another network to the PIX and can see it as a secured route via the VPN client.

access-list split_tunnel_list standard permit 192.168.88.0 255.255.255.0

I can access the Internet fine, but can't ping anything on the 192.168.88.0 network when I VPN in.

Could you advise again please?

Many thanks.

Cisco Employee

VPN client unable to access Internert via split tunneling.

Pls also add the NONAT access-list:

access-list NONAT extended permit ip 192.168.88.0 255.255.255.0 192.168.100.0 255.255.255.0

New Member

VPN client unable to access Internert via split tunneling.

Hi Jennifer,

Thank you for your prompt response. I'm still not able to ping the local LAN 192.168.88.0 from my VPN client machine 192.168.100.1 with the access list added.

Any ideas?

Many thanks.

Cisco Employee

VPN client unable to access Internert via split tunneling.

This route is also incorrect:

route inside 192.168.88.0 255.255.255.0 192.168.88.254 1

It should be routed towards the next hop in the same subnet as the ASA inside interface:

route inside 192.168.88.0 255.255.255.0 192.168.9.x

New Member

VPN client unable to access Internert via split tunneling.

Hi Jennifer,

Sorry, but changing that route didn't work. Is there another reason?

Regards,

Rob

Cisco Employee

VPN client unable to access Internert via split tunneling.

Can you share your latest config pls.

Also, where is this 192.168.88.0/24 subnet connected? Can you ping it from the ASA?

New Member

VPN client unable to access Internert via split tunneling.

Hello Jennifer,

I can ping the 192.168.88.0/24 (host 88.3) from my PIX fine. The 88 subnet hangs off a 2950 switch. This is my diagram.

My configs are as follows. Please note I have left out the suggested lines of config from above as they had no effect.

Very much appreciate your time and effort with my issue.

Many thanks,

Rob

PIX A

PIX Version 8.0(3)

!

hostname PIX-A-250

enable password NBhgOL6eDYkO4RHk encrypted

names

!

interface Ethernet0

nameif outside

security-level 0

ip address x.x.x.250 255.255.255.240

!

interface Ethernet1

nameif inside

security-level 100

ip address 192.168.9.1 255.255.255.0

!

passwd k85be8tPM1XyMs encrypted

ftp mode passive

dns domain-lookup outside

dns server-group Ext_DNS

name-server 194.72.6.57

name-server 194.73.82.242

object-group network LOCAL_LAN

network-object 192.168.9.0 255.255.255.0

network-object 192.168.88.0 255.255.255.0

object-group service Internet_Services tcp

port-object eq www

port-object eq domain

port-object eq https

port-object eq ftp

port-object eq 8080

port-object eq telnet

object-group network WAN_Network

network-object 192.168.200.0 255.255.255.0

access-list ACLOUT extended permit udp object-group LOCAL_LAN any eq domain log

access-list ACLOUT extended permit icmp object-group LOCAL_LAN any log

access-list ACLOUT extended permit tcp object-group LOCAL_LAN any object-group Internet_Services log

access-list ACLIN extended permit icmp any any echo-reply log

access-list ACLIN extended permit icmp any any unreachable log

access-list ACLIN extended permit icmp any any time-exceeded log

access-list split_tunnel_list remark Local LAN

access-list split_tunnel_list standard permit 192.168.9.0 255.255.255.0

access-list split_tunnel_list standard permit 192.168.88.0 255.255.255.0

access-list split_tunnel_list standard permit 192.168.200.0 255.255.255.0

access-list NONAT extended permit ip object-group LOCAL_LAN 192.168.100.0 255.255.255.0

pager lines 24

logging enable

mtu outside 1500

mtu inside 1500

ip local pool testvpn 192.168.100.1-192.168.100.99

no failover  

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list NONAT

nat (inside) 1 0.0.0.0 0.0.0.0

access-group ACLIN in interface outside

access-group ACLOUT in interface inside

route outside 0.0.0.0 0.0.0.0 x.x.252.45 1

route inside 192.168.88.0 255.255.255.0 192.168.88.254 1

route inside 192.168.199.0 255.255.255.0 192.168.199.254 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

http server enable

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set Set_1 esp-3des esp-sha-hmac

crypto dynamic-map outside_dyn_map 10 set transform-set Set_1

crypto dynamic-map outside_dyn_map 10 set security-association lifetime seconds 280000

crypto dynamic-map outside_dyn_map 10 set reverse-route

crypto map outside_map 10 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 1

authentication pre-share

encryption 3des

hash sha    

group 2     

lifetime 43200

crypto isakmp policy 65535

authentication pre-share

encryption 3des

hash sha    

group 2     

lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

group-policy testvpn internal

group-policy testvpn attributes

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value split_tunnel_list

username robbie password mbztSskhuas90P encrypted

tunnel-group testvpn type remote-access

tunnel-group testvpn general-attributes

address-pool testvpn

default-group-policy testvpn

tunnel-group testvpn ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny 

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip 

  inspect xdmcp

  inspect icmp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:5dcb5dcdff277e1765a9a0c366b88b9e

: end

3560_GW Gateway

test_gw01#sh run

Building configuration...

Current configuration : 2221 bytes

!

version 12.2

no service pad

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname test_gw01

!

enable secret 5 $1$cOB4$UDjkhs&$FjQBe8/rc30

!

no aaa new-model

system mtu routing 1500

ip subnet-zero

ip routing

!

!

!

!

no file verify auto

spanning-tree mode pvst

spanning-tree extend system-id

!        

vlan internal allocation policy ascending

!        

interface GigabitEthernet0/1

!        

interface GigabitEthernet0/2

description uplink to Cisco_PIX

switchport access vlan 9

!        

interface GigabitEthernet0/3

!        

interface GigabitEthernet0/4

!        

interface GigabitEthernet0/5

!        

interface GigabitEthernet0/6

!        

interface GigabitEthernet0/7

!        

interface GigabitEthernet0/8

!        

interface GigabitEthernet0/9

!        

interface GigabitEthernet0/10

!        

interface GigabitEthernet0/11

!        

interface GigabitEthernet0/12

!        

interface GigabitEthernet0/13

!

interface GigabitEthernet0/14

!

interface GigabitEthernet0/15

!

interface GigabitEthernet0/16

!

interface GigabitEthernet0/17

!

interface GigabitEthernet0/18

!

interface GigabitEthernet0/19

!

interface GigabitEthernet0/20

!

interface GigabitEthernet0/21

!

interface GigabitEthernet0/22

!

interface GigabitEthernet0/23

switchport access vlan 88

switchport mode access

spanning-tree portfast

!

interface GigabitEthernet0/24

switchport access vlan 9

switchport mode access

spanning-tree portfast

!

interface GigabitEthernet0/25

description trunk to 2950_SW_A port 1

switchport trunk encapsulation dot1q

!

interface GigabitEthernet0/26

!

interface GigabitEthernet0/27

description trunk to A_2950_112 port 1

switchport trunk encapsulation dot1q

shutdown

!

interface GigabitEthernet0/28

!

interface Vlan1

no ip address

shutdown

!        

interface Vlan9

  ip address 192.168.9.2 255.255.255.0

!

interface Vlan88

ip address 192.168.88.254 255.255.255.0

!

interface Vlan199

ip address 192.168.199.254 255.255.255.0

!

ip classless

ip route 0.0.0.0 0.0.0.0 192.168.9.1

ip route 192.168.88.0 255.255.255.0 192.168.9.1

ip route 192.168.100.0 255.255.255.0 192.168.9.1

ip route 192.168.200.0 255.255.255.0 192.168.9.1

ip http server

!

!

control-plane

!

banner motd ^C This is a private network.^C

!

line con 0

line vty 0 4

login

line vty 5 15

login   

!        

end      

Cisco Employee

VPN client unable to access Internert via split tunneling.

This route on the 3550 switch is incorrect and should be removed:

ip route 192.168.88.0 255.255.255.0 192.168.9.1

Once you removed that route, can you please try to ping 192.168.88.254 from the VPN Client?

New Member

VPN client unable to access Internert via split tunneling.

Hi Jennifer,

Not able to ping 192.168.88.254 after removing - ip route 192.168.88.0 255.255.255.0 192.168.9.1.

Rob

Cisco Employee

VPN client unable to access Internert via split tunneling.

That is weird since 192.168.88.254 (Vlan 88) is a directly connected network on that switch, so you don't need route for its own subnet.

Then on the ASA, you should configure the following route:

route inside 192.168.88.0 255.255.255.0 192.168.9.2 1

instead of:

route inside 192.168.88.0 255.255.255.0 192.168.88.254 1

New Member

VPN client unable to access Internert via split tunneling.

Hi Jennifer,

I tried with route inside 192.168.88.0 255.255.255.0 192.168.9.2 1 previously, but the VPN client is still not able to ping the 192.168.88.3 client.

I appreciate your time, effort and patience with this problem.

Rob

Cisco Employee

VPN client unable to access Internert via split tunneling.

You would need to configure the following:

1) On ASA:

route inside 192.168.88.0 255.255.255.0 192.168.9.2 1

2) On switch:

Remove:

ip route 192.168.88.0 255.255.255.0 192.168.9.1

3) Then from vpn client, try to ping 192.168.88.254

New Member

VPN client unable to access Internert via split tunneling.

Hi Jennifer,

No change with the above lines.

Regards,

Rob

Silver

VPN client unable to access Internert via split tunneling.

Hi Robert,

What's the status of Vlan inteface 88 on switch 3550? is it up/up? can you ping it's ip 192.168.88.254 from PIX?

Can you paste the result of "tracert 192.168.88.254" from your PC when connected by VPN?

VPN client unable to access Internert via split tunneling.

Hi Robert,

Bsed on your posted configs..

1. Change on PIX:

route inside 192.168.88.0 255.255.255.0 192.168.9.2 1  --> switch Vlan interface ip.

route inside 192.168.199.0 255.255.255.0 192.168.9.2 1  ->Switch Vlan interface on the ip.

2.Switch:

ip route 0.0.0.0 0.0.0.0 192.168.9.1 : correct

ip route 192.168.88.0 255.255.255.0 192.168.9.1 :Remove. No need. It is pointing traffic back to PIX again.

ip route 192.168.100.0 255.255.255.0 192.168.9.1 : Correct

ip route 192.168.200.0 255.255.255.0 192.168.9.1 : Correct.

As all these Vlan are on the same switch, you do not need any routes.

make sure all the Vlan interfaces are up/up status.

Try it an let us know.

hth

MS

New Member

VPN client unable to access Internert via split tunneling.

Hello MS,

I made the changes on the PIX and switch. I took out all the routes on the 3560 switch except ip route 0.0.0.0 0.0.0.0 192.168.9.1 and still not able to ping 192.168.88.254 or 88.3 when connected via the VPN client. I can confirm all the Vlans are up and up.

Many thanks for your help.

Regards,

Rob

New Member

VPN client unable to access Internert via split tunneling.

Hi,

Vlan88 is up and up. And I can ping both 192.168.88.254 and 88.3 from the PIX fine. This a tracert from the laptop when connected via VPN.

C:\>tracert 192.168.88.254

Tracing route to 192.168.88.254 over a maximum of 30 hops

  1     *        *        *     Request timed out.

  2     *        *        *     Request timed out.

  3     *        *        *     Request timed out.

  4     *        *        *     Request timed out.

  5     *        *        *     Request timed out.

  6     *        *        *     Request timed out.

  7     *        *        *     Request timed out.

  8     *        *        *     Request timed out.

  9     *        *        *     Request timed out.

10     *        *        *     Request timed out.

11     *        *        *     Request timed out.

12     *        *     ^C

Thanks,

Rob

Silver

VPN client unable to access Internert via split tunneling.

Hi Rob,

How about tracert to internal host whic you can ping ? How is that tracert different?

Also paste "ipconfig /all" when you are connected via VPN.

Thanks,

New Member

VPN client unable to access Internert via split tunneling.

Hi singhsaju,

I can't ping anything on the internal LAN from the VPN client.

The ipconfig/all from the VPN machine below.

Regards,

Rob

C:\>ipconfig/all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : PC-Micro-007

   Primary Dns Suffix  . . . . . . . : zarlink.com

   Node Type . . . . . . . . . . . . : Hybrid

   IP Routing Enabled. . . . . . . . : No

   WINS Proxy Enabled. . . . . . . . : No

   DNS Suffix Search List. . . . . . : zarlink.com

                                       gateway.2wire.net

Ethernet adapter Local Area Connection 2:

   Connection-specific DNS Suffix  . :

   Description . . . . . . . . . . . : Cisco Systems VPN Adapter for 64-bit Wind

ows

   Physical Address. . . . . . . . . : 00-05-9A-3C-78-00

   DHCP Enabled. . . . . . . . . . . : No

   Autoconfiguration Enabled . . . . : Yes

   Link-local IPv6 Address . . . . . : fe80::64cb:25b2:3b0e:2190%23(Preferred)

   IPv4 Address. . . . . . . . . . . : 192.168.100.1(Preferred)

   Subnet Mask . . . . . . . . . . . : 255.255.255.0

   Default Gateway . . . . . . . . . :

   DHCPv6 IAID . . . . . . . . . . . : 587203994

   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-17-4F-F3-A6-D4-BE-D9-21-F9-93

   DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1

                                       fec0:0:0:ffff::2%1

                                       fec0:0:0:ffff::3%1

   NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Bluetooth Network Connection:

   Media State . . . . . . . . . . . : Media disconnected

   Connection-specific DNS Suffix  . :

   Description . . . . . . . . . . . : Bluetooth Device (Personal Area Network)

   Physical Address. . . . . . . . . : 9C-B7-0D-55-E9-A4

   DHCP Enabled. . . . . . . . . . . : Yes

   Autoconfiguration Enabled . . . . : Yes

Wireless LAN adapter Wireless Network Connection:

   Connection-specific DNS Suffix  . : gateway.2wire.net

   Description . . . . . . . . . . . : Intel(R) Centrino(R) Advanced-N 6205

   Physical Address. . . . . . . . . : 8C-70-5A-0F-C6-80

   DHCP Enabled. . . . . . . . . . . : Yes

   Autoconfiguration Enabled . . . . : Yes

   Link-local IPv6 Address . . . . . : fe80::95c4:f7ac:f0d2:fabc%13(Preferred)

   IPv4 Address. . . . . . . . . . . : 192.168.1.99(Preferred)

   Subnet Mask . . . . . . . . . . . : 255.255.255.0

   Lease Obtained. . . . . . . . . . : 27 June 2012 14:38:28

   Lease Expires . . . . . . . . . . : 28 June 2012 14:38:27

   Default Gateway . . . . . . . . . : 192.168.1.254

   DHCP Server . . . . . . . . . . . : 192.168.1.254

   DHCPv6 IAID . . . . . . . . . . . : 344748122

   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-17-4F-F3-A6-D4-BE-D9-21-F9-93

   DNS Servers . . . . . . . . . . . : 192.168.1.254

   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.{FAED1AAA-90D9-433B-ABDC-45B6B312C849}:

   Media State . . . . . . . . . . . : Media disconnected

   Connection-specific DNS Suffix  . :

   Description . . . . . . . . . . . : Microsoft ISATAP Adapter

   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0

   DHCP Enabled. . . . . . . . . . . : No

   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter 6TO4 Adapter:

   Media State . . . . . . . . . . . : Media disconnected

   Connection-specific DNS Suffix  . :

   Description . . . . . . . . . . . : Microsoft 6to4 Adapter

   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0

   DHCP Enabled. . . . . . . . . . . : No

   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Teredo Tunneling Pseudo-Interface:

   Connection-specific DNS Suffix  . :

   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface

   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0

   DHCP Enabled. . . . . . . . . . . : No

   Autoconfiguration Enabled . . . . : Yes

   IPv6 Address. . . . . . . . . . . : 2001:0:5ef5:79fb:102e:1f88:3f57:fe9c(Pref

erred)

   Link-local IPv6 Address . . . . . : fe80::102e:1f88:3f57:fe9c%12(Preferred)

   Default Gateway . . . . . . . . . : ::

   NetBIOS over Tcpip. . . . . . . . : Disabled

Tunnel adapter isatap.gateway.2wire.net:

   Media State . . . . . . . . . . . : Media disconnected

   Connection-specific DNS Suffix  . : gateway.2wire.net

   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2

   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0

   DHCP Enabled. . . . . . . . . . . : No

   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.{044050C7-0B86-4EE9-B6BD-3A711A635EA1}:

   Media State . . . . . . . . . . . : Media disconnected

   Connection-specific DNS Suffix  . :

   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #3

   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0

   DHCP Enabled. . . . . . . . . . . : No

   Autoconfiguration Enabled . . . . : Yes

Silver

VPN client unable to access Internert via split tunneling.

Could you pls paste the latest config of ASA/PIX VPN headend? It seems to be a routing issue.

New Member

VPN client unable to access Internert via split tunneling.

Hi Singhsaju,

The PIX config as requested below. It's configured for site-2-site as well as VPN.

Many thanks,

Rob

hostname PIX-A-250

enable password u18pNfr9.K1XyMs encrypted

names

!

interface Ethernet0

speed 100

duplex full

nameif outside

security-level 0

ip address x.x.x.250 255.255.255.240

!

interface Ethernet1

nameif inside

security-level 100

ip address 192.168.9.1 255.255.255.0

!

passwd 2KFQ;lko89*cR.YOU encrypted

ftp mode passive

dns domain-lookup outside

dns server-group EXT_DNS

name-server 194.72.6.57

name-server 194.73.82.242

object-group network LOCAL_LAN

network-object 192.168.9.0 255.255.255.0

network-object 192.168.88.0 255.255.255.0

network-object 192.168.100.0 255.255.255.0

object-group service Internet_Services tcp

port-object eq www

port-object eq domain

port-object eq https

port-object eq ftp

port-object eq 8080

port-object eq telnet

object-group network WAN_Network

network-object 192.168.200.0 255.255.255.0

access-list ACLOUT extended permit udp object-group LOCAL_LAN any eq domain log

access-list ACLOUT extended permit icmp object-group LOCAL_LAN any log

access-list ACLOUT extended permit tcp object-group LOCAL_LAN any object-group Internet_Services log

access-list ACLIN extended permit icmp any any echo-reply log

access-list ACLIN extended permit icmp any any unreachable log

access-list ACLIN extended permit icmp any any time-exceeded log

access-list inside_nat0_outbound extended permit ip 192.168.9.0 255.255.255.0 192.168.200.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip object-group LOCAL_LAN object-group WAN_Network

access-list outside_cryptomap_20 extended permit ip 192.168.9.0 255.255.255.0 192.168.200.0 255.255.255.0

access-list outside_cryptomap_20 extended permit ip object-group LOCAL_LAN object-group WAN_Network

access-list split_tunnel_list remark Local LAN

access-list split_tunnel_list standard permit 192.168.9.0 255.255.255.0

access-list split_tunnel_list standard permit 192.168.88.0 255.255.255.0

access-list split_tunnel_list standard permit 192.168.200.0 255.255.255.0

access-list NONAT extended permit ip object-group LOCAL_LAN 192.168.100.0 255.255.255.0

pager lines 24

logging enable

mtu outside 1500

mtu inside 1500

ip local pool testvpn 192.168.100.1-192.168.100.99

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image flash:/pdm

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 2 access-list NONAT

nat (inside) 1 0.0.0.0 0.0.0.0

access-group ACLIN in interface outside

access-group ACLOUT in interface inside

route outside 0.0.0.0 0.0.0.0 195.171.252.45 1

route inside 192.168.88.0 255.255.255.0 192.168.9.2 1

route inside 192.168.199.0 255.255.255.0 192.168.9.2 1

route outside 192.168.200.0 255.255.255.0 192.168.9.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

http server enable

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set Set_1 esp-3des esp-sha-hmac

crypto dynamic-map outside_dyn_map 10 set transform-set Set_1

crypto dynamic-map outside_dyn_map 10 set security-association lifetime seconds 280000

crypto dynamic-map outside_dyn_map 10 set reverse-route

crypto map outside_map 10 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map 20 match address outside_cryptomap_20

crypto map outside_map 20 set peer x.x.x.253

crypto map outside_map 20 set transform-set ESP-AES-256-SHA

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 1

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 43200

crypto isakmp policy 10

authentication pre-share

encryption aes-256

hash sha

group 5

lifetime 86400

crypto isakmp policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

no crypto isakmp nat-traversal

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

group-policy testvpn internal

group-policy testvpn attributes

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value split_tunnel_list

username tester password j9078hjkgF90P encrypted

tunnel-group x.x.x.253 type ipsec-l2l

tunnel-group x.x.x.253 ipsec-attributes

pre-shared-key *

tunnel-group testvpn type remote-access

tunnel-group testvpn general-attributes

address-pool testvpn

default-group-policy testvpn

tunnel-group testvpn ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny 

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip 

  inspect xdmcp

  inspect icmp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:e21fdd69da06ff27300190f22999610e

: end

Cisco Employee

VPN client unable to access Internert via split tunneling.

You've changed your NAT exemption from the original config, that's why it's not working.

Pls add the following ACL:

access-list inside_nat0_outbound extended permit ip 192.168.88.0 255.255.255.0 192.168.100.0 255.255.255.0

New Member

VPN client unable to access Internert via split tunneling.

Hi Jennifer,

After adding the ACL it worked. Now the VPN client can ping the internal LAN. Many thanks for your time and effort helping with this issue.

Many thanks to Singhsaju and mvsheik123  for your input too. Just want to say what a great forum this is.

Best Regards,

Rob

VPN client unable to access Internert via split tunneling.

Robert- Thanks for the update and glad to hear that.

Jennifer- good catch on ACL .

Thx

MS

Silver

VPN client unable to access Internert via split tunneling.

Hi Robert,

Glad to know it's working now.

thanks

1758
Views
0
Helpful
28
Replies
CreatePlease login to create content