[c-nsp] VPN (hopefully quick) question... split vs nosplit tunnel
Jeff Kell
jeff-kell at utc.edu
Fri May 14 17:32:01 EDT 2010
I have an old PIX 515E that has been serving as a VPN endpoint for more
years than I can remember, but bottom line is I haven't touched the
config in ages.
All of the configured VPN groups are split-tunnel configurations,
bringing only selected internal networks in from the client.
I'm trying to setup a new profile without split-tunnel configured, so
that all traffic goes through the tunnel (and thus encrypted, for those
WiFi / cleartext wireless cases).
I think everything is up and working, authentication is good, tunnel
setup on client is good, a default gateway to the tunnel is set in the
client, inside traffic works as expected.
But no internet traffic. I would have "expected" it to come in, bounce
back out through NAT on the way outside, and all would be well. But
such is not the case.
The VPN pool addresses appear marked on the "outside:" interface, and
despite a default route that points to the upstream border router, I'm
getting:
110001: No route to <the.outside.ip.address> from
<the-tunnel-pool-address>
What is the missing "glue" to let the traffic pass outside? Or am I
missing something else entirely?
Jeff
vpngroup no_split_tunnel address-pool VPN_NETADMIN2
vpngroup no_split_tunnel dns-server ns1 ns2
vpngroup no_split_tunnel default-domain utc.edu
vpngroup no_split_tunnel idle-time 1800
vpngroup no_split_tunnel password ********
Other VPN groups have:
vpngroup split_group split-tunnel split-tunnel-routes-ACL
More information about the cisco-nsp
mailing list