Cisco VPN Client cannot access local LAN

I have a Cisco PIX 515 firewall that I am attempting to configure IPSEC VPN remote access but cannot seem to get the VPN client configured the way I need.  The PIX 515 is using IOS version 7.0(1)3.  The VPN client is  Windows 2000/XP with Cisco VPN client version 4.6.03.0021.

What the remote VPN client is not doing, is that once it connects to the PIX it no longer can see the local network it connected from.  It can see everything behind the PIX, just not it's local network.  There are network printers that I need access to but can no longer ping when connected to the VPN.

The Windows VPN client has a local network of 192.168.0.*.  When it connects to the VPN the PIX gives it an IP of 10.2.2.* and it is able to see the inside PIX network of 192.168.100.*.  However, I can no longer access the 192.168.0.* network so I cannot print on it's network printers.

I have attempted to configure split tunnels on the PIX.  I have also checked 'Allow Local LAN access' under 'Transport' on the VPN client.  However, none of this works.

For the most part, I have configured the PIX VPN using the VPN wizard with the ASDM tool.  Here is my PIX configuration:

PIX Version 7.0(1)3
names
!
interface Ethernet0
 nameif outside
 security-level 0
 ip address 64.12.226.84 255.255.255.248
!
interface Ethernet1
 nameif inside
 security-level 100
 ip address 192.168.100.7 255.255.255.0
!
interface Ethernet2
 nameif dmz
 security-level 10
 ip address 10.1.1.88 255.255.255.0
!
enable password fgo6FffkKX41Lju encrypted
passwd f8o6F.Wfkby41Ljf encrypted
hostname pix1
domain-name pci.net
boot system flash:/pix701-3.bin
ftp mode passive
access-list NoNat extended permit ip 192.168.100.0 255.255.255.0 10.2.2.0 255.255.255.0
access-list inbound extended permit icmp any host 64.12.226.82
access-list inbound extended permit tcp any host 64.12.226.82 eq www
access-list inbound extended permit tcp any host 64.12.226.82 eq https
access-list outside_cryptomap_dyn_20 extended permit ip any 10.2.2.0 255.255.255.0
access-list split_tunnel standard permit 192.168.100.0 255.255.255.0
pager lines 24
logging enable
logging timestamp
logging buffered debugging
logging trap debugging
logging history debugging
logging host inside 192.168.100.83
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip local pool RemoteUsers 10.2.2.1-10.2.2.254
monitor-interface outside
monitor-interface inside
monitor-interface dmz
asdm image flash:/asdm-501.bin
asdm location 192.168.100.60 255.255.255.255 inside
asdm history enable
arp timeout 14400
nat-control
global (outside) 1 64.12.226.85
global (dmz) 1 10.1.1.85
nat (inside) 0 access-list NoNat
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,dmz) 10.1.1.83 192.168.100.83 netmask 255.255.255.255 tcp 200 400
static (inside,dmz) 10.1.1.60 192.168.100.60 netmask 255.255.255.255 tcp 200 400
static (dmz,outside) 64.12.226.82 10.1.1.82 netmask 255.255.255.255 tcp 200 400
access-group inbound in interface outside
route outside 0.0.0.0 0.0.0.0 64.12.226.81 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
group-policy DfltGrpPolicy attributes
 banner none
 wins-server none
 dns-server none
 dhcp-network-scope none
 vpn-access-hours none
 vpn-simultaneous-logins 3
 vpn-idle-timeout 30
 vpn-session-timeout none
 vpn-filter none
 vpn-tunnel-protocol IPSec
 password-storage disable
 ip-comp disable
 re-xauth disable
 group-lock none
 pfs disable
 ipsec-udp disable
 ipsec-udp-port 10000
 split-tunnel-policy tunnelall
 split-tunnel-network-list none
 default-domain none
 split-dns none
 secure-unit-authentication disable
 user-authentication disable
 user-authentication-idle-timeout 30
 ip-phone-bypass disable
 leap-bypass disable
 nem disable
 backup-servers keep-client-config
 client-firewall none
 client-access-rule none
group-policy RemoteUsers internal
group-policy RemoteUsers attributes
 banner none
 wins-server none
 dns-server none
 dhcp-network-scope none
 vpn-access-hours none
 vpn-simultaneous-logins 3
 vpn-idle-timeout 30
 vpn-session-timeout none
 vpn-filter none
 vpn-tunnel-protocol IPSec
 password-storage disable
 ip-comp disable
 re-xauth disable
 group-lock none
 pfs disable
 ipsec-udp disable
 ipsec-udp-port 10000
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value split_tunnel
 default-domain none
 split-dns none
 secure-unit-authentication disable
 user-authentication disable
 user-authentication-idle-timeout 30
 ip-phone-bypass disable
 leap-bypass disable
 nem disable
 backup-servers keep-client-config
 client-firewall none
 client-access-rule none
username djprice password JneZbZudRoFlZcvo encrypted
http server enable
http 192.168.100.60 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5 ESP-DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp identity auto
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp nat-traversal  20
isakmp ipsec-over-tcp port 10000
telnet 192.168.100.60 255.255.255.255 inside
telnet 192.168.100.83 255.255.255.255 inside
telnet timeout 30
ssh timeout 5
ssh version 1
console timeout 0
tunnel-group DefaultRAGroup type ipsec-ra
tunnel-group DefaultRAGroup general-attributes
 address-pool (outside) RemoteUsers
tunnel-group RemoteUsers type ipsec-ra
tunnel-group RemoteUsers general-attributes
 address-pool RemoteUsers
tunnel-group RemoteUsers ipsec-attributes
 pre-shared-key abc
tunnel-group-map default-group RemoteUsers
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect http
  inspect netbios
  inspect pptp
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
tftp-server inside 192.168.100.83 /pix1.conf
Cryptochecksum:4ce77bcf16d77b581e8884ac0288a523
: end
djpriceAtlAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

lrmooreCommented:
Quick question -
Do all the internal hosts that you want to access point their default gateway to this PIX? .7?
If not, whatever they do point to - does it have a route for the 10.2.2.0 subnet that does point to the PIX .7?

What version client? What OS on the client PC? I highly recommend update to 4.6.3 client if using XP/SP2

lrmooreCommented:
D'oh! disregard last statement. I read the Q, it just didn't register....

lrmooreCommented:
Let's change the split-tunnel acl
from:
 >access-list split_tunnel standard permit 192.168.100.0 255.255.255.0

to:
access-list split_tunnel extended permit 192.168.100.0 255.255.255.0 10.2.2.0 255.255.255.0
 
You  might also try adding

isakmp nat-traversal 20

and/or change the
>ipsec-udp disable
to
ipsec-udp enable

Your Guide to Achieving IT Business Success

The IT Service Excellence Tool Kit has best practices to keep your clients happy and business booming. Inside, you’ll find everything you need to increase client satisfaction and retention, become more competitive, and increase your overall success.

djpriceAtlAuthor Commented:
I tried to change the access-list split_tunned but it would not allow for an extended access-list.

This is how I tried:
pix(config)# group-policy RemoteUsers attributes
pix(config-group-policy)# split-tunnel-network-list value split_tunnel   <== this failed, it said the access-list cannot be extended?
Is it possible to create an access-list to include 2 networks that is standard and not extended?  
lrmooreCommented:
OK.
Seems to be quirk of new 7.0.
Just to verify - the remote client's local LAN is not also 192.168.100.x is it?

Let's try this:
access-list split_tunnel standard permit 192.168.100.0 255.255.255.0
access-list split_tunnel standard permit 10.2.2.0 255.255.255.0

====================================================
split-tunnel-policy {tunnelall | tunnelspecified | excludespecified}

"excludespecified
 Defines a list of networks to which traffic goes in the clear. This feature is useful for remote users who want to access devices on their local network, such as printers, while they are connected to the corporate network through a tunnel. This option applies only to the Cisco VPN Client. "
=====================================================

Given that, we might try as an experiment:

access-list split_test standard permit 192.168.0.0 255.255.0.0
split-tunnel-policy excludespecified
split-tunnel-network-list value split_test
djpriceAtlAuthor Commented:
No, the remote client's address is 192.168.0.* - the inside PIX address is 192.168.100.*.

I made a few changes and it seems to work now.  However, I am not sure if I like this configuration as is now.

Here is what I did:
- I removed the group-policy for RemoteUsers.
- I modified the group-policy attributes for DfltGrpPolicy:
   split-tunnel-policy tunnelspecified
   split-tunnel-netowrk-list value split_tunnel
   ipsec-udp enable
- I left the access-list split_tunnel as it was as standard.

For some reason, when the VPN client was connecting as 'RemoteUsers' it was not picking up the group-policy split-tunnel for RemoteUsers.  It appears it was always picking up the group-policy for DfltGrpPolicy.  Maybe I had a configuration error elsewhere or maybe this is by design.  As it is now, all groups I configure for VPN access will have the split-tunnel-policy - I guess this is not really a big problem, is it?  Is there a secirity concern with this since it appears that the connected VPN client's network is now accessable, including any internet access?
lrmooreCommented:
>  ipsec-udp enable
I think that this is the entry that made it work. I would try using the RemoteUsers policy again with that still in the dfltgrp policy..

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Networking

From novice to tech pro — start learning today.