PIX 501 Split Tunnel? - Tech Support

PIX 501 Split Tunnel?: Posted by DM on April 26th, 2005; need to be able to split tunnel from a remote office using a 501.

Situation follows:

Core Site: PIX 535
Remote Site: PIX 501

IPSEC tunnel between core and remote is operational and stable.

core LAN (multiple subnets) can reach remote site and internet.

remote lan can reach core lan, but not internet unless via proxy
located on core lan.

501 can ping all hosts, local and remote including internet. Same with
535, but as previously stated, 501 LAN clients can not access internet.

did nothing special on 535 (core) site to enable split tunneling, so it
seems strange that I would have to to that on the 501.

I'm fairly certain it's a NAT issue. running a debug of the outside
interface for traffic destined for the ISP gateway, internal hosts are
not natted, but of course the PIX is showing it's outside IP.

I'm NAT 0-ing the traffic between the remote site and core site so that
servers at the core can reach out and touch clients on the 501.

Anyone have any ideas?

dm; Posted by Richard Graves on April 27th, 2005; "DM" <daniel.a.murray@amsec.COM> wrote in message
news:1114544216.534170.4740@g14g2000cwa.googlegrou ps.com...
DM,

Can you post portions of the config from the host and at least one of the
client sites? Off hand I would agree with you that it sounds like a NAT
issue. How granular are you being with your NAT-0 ACLs?

-Richard; Posted by DM on April 27th, 2005; pretty granular. The remote site is on a private 10. net with a /25
mask, and the tunnel only allows them to get to a server farm on a
different private net (with a /24) mask.

names
name 10.x.x.0 RemoteLAN
name 172.x.x..0 ServerFarm

access-list TunnelTraff permit ip RemoteLAN 255.255.255.128 ServerFarm
255.255.255.0
access-list TunnelTraff permit icmp RemoteLAN 255.255.255.128
ServerFarm 255.255.255.0

global (outside) 1 interface

nat (inside) 0 access-list TunnelTraff
nat (inside) 1 0.0.0.0; Posted by Richard Graves on April 27th, 2005; "DM" <daniel.a.murray@amsec.COM> wrote in message
news:1114601495.939341.208780@o13g2000cwo.googlegr oups.com...
Based on what I see here, it looks good. I would change the "nat (inside) 1
0.0.0.0" to "nat (inside) 1 10.x.x.0 255.255.255.128"; but I'm not sure if
that's whats causing your problem. Walter, any ideas?

-Richard; Posted by DM on April 28th, 2005; I can do that, but not sure why. if I'm natting everything with nat
(inside) 1 0.0.0.0, wouldn't this just limit the scope?; Posted by Richard Graves on April 28th, 2005; "DM" <daniel.a.murray@amsec.COM> wrote in message
news:1114712362.750793.172400@g14g2000cwa.googlegr oups.com...
I generally try to be as granular as possible with Cisco configs; I've had
problems before that were caused by being to permissive. As I said, I don't
know if this will solve your problem or not, it was just something that I
was different than the way that I would do things.

-Richard

Similar Posts

Split Tunnel Blocks http through tunnel but passes http around tunnel (Routers) by a.nonny mouse
831 split tunnel (Routers) by GC
pix to 1605 with split tunnel (Routers) by Greg
Split-tunnel on Pix (Routers) by someone
PPTP split-tunnel (Routers) by michael