1. Home
  2. Cisco Systems
  3. PIX 501 Split Tunnel?

PIX 501 Split Tunnel?

need to be able to split tunnel from a remote office using a 501.

Situation follows:

Core Site: PIX 535 Remote Site: PIX 501

IPSEC tunnel between core and remote is operational and stable.

core LAN (multiple subnets) can reach remote site and internet.

remote lan can reach core lan, but not internet unless via proxy located on core lan.

501 can ping all hosts, local and remote including internet. Same with 535, but as previously stated, 501 LAN clients can not access internet.

did nothing special on 535 (core) site to enable split tunneling, so it seems strange that I would have to to that on the 501.

I'm fairly certain it's a NAT issue. running a debug of the outside interface for traffic destined for the ISP gateway, internal hosts are not natted, but of course the PIX is showing it's outside IP.

I'm NAT 0-ing the traffic between the remote site and core site so that servers at the core can reach out and touch clients on the 501.

Anyone have any ideas?

dm

Reply to
DM
Loading thread data ...

DM,

Can you post portions of the config from the host and at least one of the client sites? Off hand I would agree with you that it sounds like a NAT issue. How granular are you being with your NAT-0 ACLs?

-Richard

Reply to
Richard Graves

pretty granular. The remote site is on a private 10. net with a /25 mask, and the tunnel only allows them to get to a server farm on a different private net (with a /24) mask.

names name 10.x.x.0 RemoteLAN name 172.x.x..0 ServerFarm

access-list TunnelTraff permit ip RemoteLAN 255.255.255.128 ServerFarm

255.255.255.0 access-list TunnelTraff permit icmp RemoteLAN 255.255.255.128 ServerFarm 255.255.255.0

global (outside) 1 interface

nat (inside) 0 access-list TunnelTraff nat (inside) 1 0.0.0.0

Reply to
DM

Based on what I see here, it looks good. I would change the "nat (inside) 1

0.0.0.0" to "nat (inside) 1 10.x.x.0 255.255.255.128"; but I'm not sure if that's whats causing your problem. Walter, any ideas?

-Richard

Reply to
Richard Graves

I can do that, but not sure why. if I'm natting everything with nat (inside) 1 0.0.0.0, wouldn't this just limit the scope?

Reply to
DM

I generally try to be as granular as possible with Cisco configs; I've had problems before that were caused by being to permissive. As I said, I don't know if this will solve your problem or not, it was just something that I was different than the way that I would do things.

-Richard

Reply to
Richard Graves

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.