How to setup split-tunnel
on Cisco PIX
To setup VPN for Cisco VPN clients on Cisco PIX, you add the following
access-list split permit ip 10.1.0.0 255.255.0.0 192.168.1.0 255.255.255.0
ip local pool bigpool 192.168.1.1-192.168.1.254
vpngroup vpn3000 address-pool bigpool
vpngroup vpn3000 dns-server yourdns
vpngroup vpn3000 wins-server yourwins
vpngroup vpn3000 default-domain cisco.com
vpngroup vpn3000 split-tunnel split
vpngroup vpn3000 idle-time 1800
vpngroup vpn3000 password ********
How to stop other
requests flow through the VPN
Q: I just setup VPN on my windows server for my clients to VPN into my
network. The one issue I'm noticing is that all their DNS requests flow
through the VPN. How can I set it up so that only the subnets that I
control are routed through the VPN?
A: Uncheck "Use Gateway on remote network" on the VPN client.
Symptoms: After a remote client establishes a
connection on a RRAS which is installed on a domain controller with DNS, one
or more of the following symptoms may occur:
1) Internal clients may no longer be able to
browse the Web through Internet Security and Acceleration (ISA) Server,
regardless of whether or not Web Proxy or the Firewall Client is being used
for Web browsing.
2) A "The page cannot be displayed" error message is generated when you use
a Web browser.
3) A "cannot find server or DNS" error occurs.
4) From an internal client, if you use PING to ping the name of the server,
PING returns any other address other than the IP address that is bound to
the server's internal adapter.
5) You cannot browse through the list of computers in Network Neighborhood
or My Network Places.
6) You cannot connect to the following Web page:
7) You may receive the following event message: Event ID: 4319, Source:
Netbt, Description: A duplicate name has been detected on the tcp network.
The IP address of the machine that sent the message is in the data. Use
NBTSTAT with a switch of N in a command window to see which name is in a
8) When a client clicks Update Now from the
Firewall Client applet in Control Panel, the
client may receive the following error message:
The server is not responding when client requests an update.
-The server is not an ISA Server.
-The server is down.
9) Windows 2000 LAN clients cannot map a network drive to the server. The
client may receive the following error message: No Logon Servers Available
to Service your Logon Request.
Resolutions: This issue can occur if the
client computer receives a response from DNS that includes the wrong
Internet Protocol (IP) address. This address is only returned in a query
after a remote client has connected by using Dial-Up Networking. This IP
address is registered with DNS if network basic input/output system
(NetBIOS) is bound to the RRAS server's dial-in interfaces or if DNS is
configured to listen on all interfaces. To resolve this problem, obtain the
latest service pack for Windows 2000.
& Remote access service was unable was to start
Causes: The Dependencies such as NetBIOSGroup
and RPC may not start.
Some routers may take
just one VPN connection
Symptom: you are trying to connect two or more
computers to a Windows VPN behind a router. Each machine connects
individually. However, when you try to use two more VPN clients to the VPN
simultaneously. Only the first client connects successfully. Other clients may
receive Error 721 - Remote PPP peer or computer is not responding.
Cause: Some router takes only one connection.
SYMPTOMS: After you install SP1 for XP, your
computer may drop VPN connections after about 55 seconds. This behavior may
occur if ICS/ICF is enabled.
RESOLUTION: 1) disable ICS. 2) disable ICF. 3)
contact Microsoft Product Support Services to obtain the fix.
VPN Win98 can
access the resources but not W2K/XP
We're trying to use a Win2k and w98 laptops to our office over a VPN to our
office. from this location the Win2K client will connect correctly and
authorize correctly, but you cannot browse the remote network. You cannot
ping a remote network address, nothing. At the same location a Win98 client
will connect correctly and browse the network no problem. What's the
difference in the networking of the two that would cause this to happened?
A: Win2k and XP both use DNS
to find other machines whereas Win98 uses NetBIOS or Wins. So, you will need
to set up the DNS on VPN Server or clients.