Cisco 506e - remote-access vpn, split tunnel, client has no internet access.

I have searched this group and the internet but cannot seem to see anything wrong with my configuration (given below), yet clients connecting to the pix cannot go out to the internet.

The clients are using the Cisco VPN client, the connection is using "Enable transparent tunneling" - IPSec over UDP; also allowing local LAN access.

I am new to the whole pix, Cisco world - all of this configuration was done using the PDM - when I finally enabled split-tunneling the PDM told me that it had encountered a firewall config. command that it does not support - apparently it does not support multiple uses of an ACL - the ACL in question being "outside_cryptomap_dyn_20" which is being applied to both the outside interface for IPSec traffic selection and to the VPN client group for split tunneling.

I would really appreciate it if someone could go over my configuration and let me know what I am doing wrong.

Result of firewall command: "show running-config"

: Saved : PIX Version 6.3(5) interface ethernet0 auto interface ethernet1 auto nameif ethernet0 outside security0 nameif ethernet1 inside security100

fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names access-list inside_outbound_nat0_acl permit ip any access-list outside_cryptomap_dyn_20 permit ip any pager lines 24 mtu outside 1500 mtu inside 1500 ip address outside ip address inside ip audit info action alarm ip audit attack action alarm ip local pool BSIP

arp timeout 14400 global (outside) 10 interface nat (inside) 0 access-list inside_outbound_nat0_acl nat (inside) 10 0 0 route outside 1 timeout xlate 0:05:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225

1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout sip-disconnect 0:02:00 sip-invite 0:03:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local http server enable http inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20 crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5 crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map crypto map outside_map interface outside isakmp enable outside isakmp policy 20 authentication pre-share isakmp policy 20 encryption 3des isakmp policy 20 hash md5 isakmp policy 20 group 2 isakmp policy 20 lifetime 86400 vpngroup address-pool BSIP vpngroup dns-server vpngroup default-domain vpngroup split-tunnel outside_cryptomap_dyn_20 vpngroup idle-time 1800 vpngroup password ******** telnet timeout 5 ssh timeout 5 console timeout 0 dhcpd address inside dhcpd lease 3600 dhcpd ping_timeout 750 dhcpd auto_config outside terminal width 80 : end

Thank you,


Reply to
Loading thread data ...

Hi this is way out my league, recently however configuring a cisco 2621xm i had to do a nonat route map

i deny the internal traffic to remote lan and then permit the internal traffic ip any any probably of no help but maybe others will suggest the right solution

h> I have searched this group and the internet but cannot seem to see

Reply to

You can't do that with PIX 4/5/6.

Create a new ACL that has the same contents as the other one, and designate the new one as the split tunnel ACL.

Do not use the same IP range for your LAN as you use for your VPN clients. Put your clients into a different (private) IP range, and make the appropriate adjustments to the nat 0 and crypto match ACLs. When you try to use the same IP range, you run into routing problems.

But with the 506E, your clients will never be able to come in to the PIX via VPN and hop back out to the Internet -- not unless you do some fancy things with VLANs and subneting your public address range. You can, as you hint, sort of deal with that by split tunnel, but then you have the problem that someone who has a trojan horse controlling one of your clients can get trusted access to your inner LAN by using the client host as a relay. Unless your clients are pretty secure and well anti-virused, you might as well just permit public access to your LAN if you are going to split tunnel. You may wish to consider establishing a proxy server.

Reply to
Walter Roberson

Thank you for helping.

I will implement your suggestions.

As for the split tunnel, it is a fight I am having with management - I'll just have to see how that goes.

I'm sure I'll have more questions along the way.

Thanks again,


Walter Robers> > >I have searched this group and the internet but cannot seem to see

Reply to
Rohan Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.