vpn split tunneling - accessing internet problem

Discussion in 'Cisco' started by misiob, Jun 21, 2004.

  1. misiob

    misiob Guest

    Hello,

    I'm trying to configure vpn split-tunneling. Now I have access to
    central office network via dial-up connection, but I can't browse
    internet sites.

    I use cisco secure vpn client ver 3.6.6(a) and C1750 as a vpn server.

    I have configured vpn connection in following way(conf regarding vpn
    below)

    access-list wyjscie_VPN permit ip 10.0.0.0 255.255.255.0 192.168.99.0
    255.255.255.0
    global (outside) 1 interface
    nat (inside) 0 access-list wyjscie_VPN
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    route outside 0.0.0.0 0.0.0.0 x.x.x.x

    sysopt connection permit-ipsec
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto dynamic-map dynmap 10 set transform-set ESP-3DES-MD5
    crypto map mymap 10 ipsec-isakmp dynamic dynmap
    crypto map mymap client configuration address initiate
    crypto map mymap client configuration address respond
    crypto map mymap interface outside
    isakmp enable outside
    isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
    isakmp identity address
    isakmp client configuration address-pool local bigpool outside
    isakmp policy 20 authentication pre-share
    isakmp policy 20 encryption 3des
    isakmp policy 20 hash md5
    isakmp policy 20 group 2
    isakmp policy 20 lifetime 86400
    vpngroup vpn3000-all address-pool bigpool
    vpngroup vpn3000-all dns-server 194.204.169.9
    vpngroup vpn3000-all split-tunnel wyjscie_VPN
    vpngroup vpn3000-all idle-time 1800


    Could anyone tell me where is the problem?

    Thanks in advance
    Michal Borgul
    misiob, Jun 21, 2004
    #1
    1. Advertising

  2. misiob

    PES Guest

    "misiob" <> wrote in message
    news:...
    > Hello,
    >
    > I'm trying to configure vpn split-tunneling. Now I have access to
    > central office network via dial-up connection, but I can't browse
    > internet sites.
    >


    Is the dial up a corporate dial up or an isp? Or is this what you are
    calling the VPN connection?


    > I use cisco secure vpn client ver 3.6.6(a) and C1750 as a vpn server.



    >
    > I have configured vpn connection in following way(conf regarding vpn
    > below)
    >
    > access-list wyjscie_VPN permit ip 10.0.0.0 255.255.255.0 192.168.99.0
    > 255.255.255.0
    > global (outside) 1 interface
    > nat (inside) 0 access-list wyjscie_VPN
    > nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    > route outside 0.0.0.0 0.0.0.0 x.x.x.x
    >
    > sysopt connection permit-ipsec
    > crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    > crypto dynamic-map dynmap 10 set transform-set ESP-3DES-MD5
    > crypto map mymap 10 ipsec-isakmp dynamic dynmap
    > crypto map mymap client configuration address initiate
    > crypto map mymap client configuration address respond
    > crypto map mymap interface outside
    > isakmp enable outside
    > isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
    > isakmp identity address
    > isakmp client configuration address-pool local bigpool outside
    > isakmp policy 20 authentication pre-share
    > isakmp policy 20 encryption 3des
    > isakmp policy 20 hash md5
    > isakmp policy 20 group 2
    > isakmp policy 20 lifetime 86400
    > vpngroup vpn3000-all address-pool bigpool
    > vpngroup vpn3000-all dns-server 194.204.169.9
    > vpngroup vpn3000-all split-tunnel wyjscie_VPN
    > vpngroup vpn3000-all idle-time 1800
    >
    >
    > Could anyone tell me where is the problem?
    >
    > Thanks in advance
    > Michal Borgul
    PES, Jun 21, 2004
    #2
    1. Advertising

  3. misiob

    misiob Guest

    > >
    >
    > Is the dial up a corporate dial up or an isp? Or is this what you are
    > calling the VPN connection?
    >
    >
    > > I use cisco secure vpn client ver 3.6.6(a) and C1750 as a vpn server.

    >
    >
    > >


    It's dial-up connection to public network. (ISP).
    There is small mistake. Ofcourse vpn tunnel is terminated on PIX 515.
    misiob, Jun 21, 2004
    #3
  4. In article <>,
    misiob <> wrote:
    :I'm trying to configure vpn split-tunneling.

    :access-list wyjscie_VPN permit ip 10.0.0.0 255.255.255.0 192.168.99.0 255.255.255.0
    :global (outside) 1 interface
    :nat (inside) 0 access-list wyjscie_VPN

    You later use wyjscie_VPN in the split-tunnel. You should not use
    the same access-list in two different ways: the PIX sometimes had to
    adjust access-lists internally (e.g., for Adaptive Security) and you
    run into strange behaviours if the list is being used a second way.


    :crypto dynamic-map dynmap 10 set transform-set ESP-3DES-MD5
    :crypto map mymap 10 ipsec-isakmp dynamic dynmap
    :crypto map mymap client configuration address initiate
    :crypto map mymap client configuration address respond
    :crypto map mymap interface outside
    :isakmp enable outside
    :isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
    :isakmp identity address
    :isakmp client configuration address-pool local bigpool outside

    You do not show us what the address pool bigpool is like, nor what your
    internal address range is, so we cannot tell whether you have the proper
    order for your ACL entries.
    --
    We don't need no side effect-ing
    We don't need no scope control
    No global variables for execution
    Hey! Did you leave those args alone? -- decvax!utzoo!utcsrgv!roderick
    Walter Roberson, Jun 21, 2004
    #4
  5. misiob

    misiob Guest

    >
    > :access-list wyjscie_VPN permit ip 10.0.0.0 255.255.255.0 192.168.99.0 255.255.255.0
    > :global (outside) 1 interface
    > :nat (inside) 0 access-list wyjscie_VPN
    >
    > You later use wyjscie_VPN in the split-tunnel. You should not use
    > the same access-list in two different ways: the PIX sometimes had to
    > adjust access-lists internally (e.g., for Adaptive Security) and you
    > run into strange behaviours if the list is being used a second way.
    >

    Hm...
    What do you exactly mean..?
    Using that access-list and split-tunnel command I define traffic which
    should be transmited to central office via vpn tunnel. Other traffic
    should be sent directly to public network using dial-up connection.

    NAT configuration is configured to ensure access to private network
    (10.0.0.0) from client station (client obtain address from pool called
    bigpool).

    This conf is based on cisco documentation. Maybe there is mistake, but
    I can't
    find it.


    > :isakmp identity address
    > :isakmp client configuration address-pool local bigpool outside
    >
    > You do not show us what the address pool bigpool is like, nor what your
    > internal address range is, so we cannot tell whether you have the proper
    > order for your ACL entries.


    Regarding address pool

    ip local pool bigpool 192.168.99.1-192.168.99.10

    Network 10.0.0.0 is my private network behind the pix firewall.


    Additionally...
    Below you can find all access-list configured on that pix:


    access-list out permit icmp any any
    access-list out permit tcp any any eq www
    access-list out permit tcp any any eq smtp
    access-list out permit tcp any any eq pop3
    access-list out permit udp any any eq domain
    access-list out permit tcp any any eq domain
    access-list out permit tcp any any eq https
    access-list out permit tcp any any eq citrix-ica
    access-list out permit udp any any eq 1604
    access-list out permit tcp any any eq ftp
    access-list out permit tcp any any eq 8081
    access-list out permit udp any any eq 8081
    access-list out permit tcp any any eq ftp-data
    access-list out permit tcp any any eq 8080
    access-list out permit udp any any eq 8080
    access-list out permit ip 10.0.0.0 255.255.255.0 192.168.99.0
    255.255.255.0
    access-list in permit icmp any any
    access-list in permit ip 192.168.99.0 255.255.255.0 10.0.0.0
    255.255.255.0
    access-list wyjscie_VPN permit ip 10.0.0.0 255.255.255.0 192.168.99.0
    255.255.255.0
    access-list wyjscie_VPN permit icmp 10.0.0.0 255.255.255.0
    192.168.99.0 255.255.255.0
    access-list wyjscie_VPN permit ip 10.0.0.0 255.255.255.0 192.168.101.0
    255.255.255.0
    access-list wyjscie_VPN permit udp 10.0.0.0 255.255.255.0 192.168.99.0
    255.255.255.0 eq 1604

    It really might be problem with my access-lists

    Michal
    misiob, Jun 22, 2004
    #5
  6. (misiob) wrote in message news:<>...
    > >
    > > :access-list wyjscie_VPN permit ip 10.0.0.0 255.255.255.0 192.168.99.0 255.255.255.0
    > > :global (outside) 1 interface
    > > :nat (inside) 0 access-list wyjscie_VPN
    > >
    > > You later use wyjscie_VPN in the split-tunnel. You should not use
    > > the same access-list in two different ways: the PIX sometimes had to
    > > adjust access-lists internally (e.g., for Adaptive Security) and you
    > > run into strange behaviours if the list is being used a second way.
    > >

    > Hm...
    > What do you exactly mean..?
    > Using that access-list and split-tunnel command I define traffic which
    > should be transmited to central office via vpn tunnel. Other traffic
    > should be sent directly to public network using dial-up connection.
    >
    > NAT configuration is configured to ensure access to private network
    > (10.0.0.0) from client station (client obtain address from pool called
    > bigpool).
    >
    > This conf is based on cisco documentation. Maybe there is mistake, but
    > I can't
    > find it.
    >
    >
    > > :isakmp identity address
    > > :isakmp client configuration address-pool local bigpool outside
    > >
    > > You do not show us what the address pool bigpool is like, nor what your
    > > internal address range is, so we cannot tell whether you have the proper
    > > order for your ACL entries.

    >
    > Regarding address pool
    >
    > ip local pool bigpool 192.168.99.1-192.168.99.10
    >
    > Network 10.0.0.0 is my private network behind the pix firewall.
    >
    >
    > Additionally...
    > Below you can find all access-list configured on that pix:
    >
    >
    > access-list out permit icmp any any
    > access-list out permit tcp any any eq www
    > access-list out permit tcp any any eq smtp
    > access-list out permit tcp any any eq pop3
    > access-list out permit udp any any eq domain
    > access-list out permit tcp any any eq domain
    > access-list out permit tcp any any eq https
    > access-list out permit tcp any any eq citrix-ica
    > access-list out permit udp any any eq 1604
    > access-list out permit tcp any any eq ftp
    > access-list out permit tcp any any eq 8081
    > access-list out permit udp any any eq 8081
    > access-list out permit tcp any any eq ftp-data
    > access-list out permit tcp any any eq 8080
    > access-list out permit udp any any eq 8080
    > access-list out permit ip 10.0.0.0 255.255.255.0 192.168.99.0
    > 255.255.255.0
    > access-list in permit icmp any any
    > access-list in permit ip 192.168.99.0 255.255.255.0 10.0.0.0
    > 255.255.255.0
    > access-list wyjscie_VPN permit ip 10.0.0.0 255.255.255.0 192.168.99.0
    > 255.255.255.0
    > access-list wyjscie_VPN permit icmp 10.0.0.0 255.255.255.0
    > 192.168.99.0 255.255.255.0
    > access-list wyjscie_VPN permit ip 10.0.0.0 255.255.255.0 192.168.101.0
    > 255.255.255.0
    > access-list wyjscie_VPN permit udp 10.0.0.0 255.255.255.0 192.168.99.0
    > 255.255.255.0 eq 1604
    >
    > It really might be problem with my access-lists
    >
    > Michal


    Michal,

    If it is of any help, we are using a 1710 as a VPN server (for
    proof-of-concept) and split tunneling works fine. The config looks
    like this:-

    <SNIP>
    !
    aaa new-model
    !
    !
    aaa authorization network vpn-clientgroup local
    aaa session-id common
    !
    <SNIP>
    !
    ip subnet-zero
    !
    !
    no ip domain-lookup
    !
    ip audit notify log
    ip audit po max-events 100
    ip ssh time-out 120
    ip ssh authentication-retries 3
    !
    crypto isakmp policy 1
    encr 3des
    authentication pre-share
    group 2
    crypto isakmp client configuration address-pool local dynpool
    !
    crypto isakmp client configuration group vpn-clientgroup
    key *REMOVED*
    pool dynpool
    acl 111
    !
    !
    crypto ipsec transform-set transform-1 esp-3des esp-sha-hmac
    !
    crypto dynamic-map dynmap 1
    set transform-set transform-1
    !
    !
    crypto map dynmap isakmp authorization list vpn-clientgroup
    crypto map dynmap client configuration address respond
    crypto map dynmap 1 ipsec-isakmp dynamic dynmap
    !
    !
    !
    !
    interface Loopback0
    description Management Loopback address
    ip address *REMOVED*
    !
    interface Ethernet0
    ip address *PUBLIC ADDRESS REMOVED*
    half-duplex
    crypto map dynmap
    !
    interface FastEthernet0
    ip address *PRIVATE ADDRESS REMOVED*
    speed 100
    !
    ip local pool dynpool *ADDRESS RANGE REMOVED*
    ip default-gateway *PUBLIC ADDRESS REMOVED*
    ip classless
    ip route 0.0.0.0 0.0.0.0 *PUBLIC ADDRESS REMOVED*
    ip route 10.0.0.0 255.0.0.0 *PRIVATE ADDRESS REMOVED*
    ip route *REMOVED*
    no ip http server
    ip pim bidir-enable
    !
    !
    logging trap debugging
    logging source-interface FastEthernet0
    logging *REMOVED*
    access-list 111 permit ip *REMOVED* *POOL ADDRESS RANGE REMOVED*
    access-list 111 permit ip *REMOVED* *POOL ADDRESS RANGE REMOVED*
    no cdp run
    !
    <SNIP>

    There is no PIX involved in our set-up though.

    Pete
    Pete Mainwaring, Jun 23, 2004
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. The Entitty

    Cisco VPN - Split tunneling

    The Entitty, Jun 29, 2004, in forum: Cisco
    Replies:
    2
    Views:
    5,355
    Memnoch
    Jun 29, 2004
  2. John Sasso

    Split Tunneling and Cisco VPN client

    John Sasso, Aug 26, 2004, in forum: Cisco
    Replies:
    1
    Views:
    6,789
    Scooby
    Aug 26, 2004
  3. Pinko_Commie

    PIX, VPN, Split Tunneling, IPOOL

    Pinko_Commie, Sep 13, 2004, in forum: Cisco
    Replies:
    1
    Views:
    726
    Erik Tamminga
    Sep 13, 2004
  4. Bob Smith
    Replies:
    3
    Views:
    5,797
    Bob Smith
    Nov 10, 2004
  5. Brian V
    Replies:
    2
    Views:
    1,019
    Brian V
    Nov 21, 2005
Loading...

Share This Page