04-21-2008 01:43 PM
I have a SA 2000 for users connect via Network Connect. I wuold like to use split tunnelling feature but it's doesn't work.
I'll try to use "Allow access to local subnet" but I have to add a manual route to access local network outside the tunnel.
Can you help me??
My SA versione is 5.3R3
04-23-2008 08:07 AM
The network connect 'allow access to the local subnet' is client side. It's local network would change for each location where Network Connect was launched. The routing should only add routes off the Internal Interface and it's subnets. The only routes I've ever needed to add are ones for the subnet local to the Internal INterface on the SA.
I'm using 6.1R2 currently.
04-23-2008 11:32 AM - edited 04-23-2008 11:34 AM
Agreed with DougR above.
Check your Network Connect Split Tunneling Policies and Network Connect Connection Profiles
You should not need to add any routes on the IVE. The IVE will route based on the NC Pool and the split-tunnel networks you have defined.
04-23-2008 01:01 PM
when I use the option "Allow access to local subnet" I see on my client that all the routing is directed to the Network connect adapter.
If I manual add on the client a static routes for the local subnet all works fine.
I have checked the resources policy but it is ok.
04-24-2008 12:22 AM
One thing to keep in mind, is that split tunnelling has a specific purpose. It is used to route certain traffic to your internal network, and force all other traffic out the users remote ISP.
In your split tunnelling policies, you will want to add the IP addresses (or a network range) of what you want to access on the internal network with Network connect, like:
172.18.0.0/16 will force all 172.18 traffic through the IVE and to the internal network. it also works the same if you put in single IP addresses (one per line). anything OUTSIDE the split tunnelling will be routed through their local ISP, bypassing the IVE entirely.
Also keep in mind that these will need to be specified in your Network Connect Access Control list with an allow policy (default policy is set to allow *:*).
Another thing I've seen happen is if you have the Network Connect DHCP network server ip address conflicting with an address on your network, this causes issues with ST - by default it's set at 10.200.200.200, and can be changed under the system > network > network connect setting
Please give this a try and see if this helps to resolve your issue.