Go CCIE Go!! - A Cisco Certified Internetwork Expert

Hi,groups:
I have a ASA5505 acting as a VPN client, peering to a easy VPN server PIX515 with version 7.2 . I have got two problems: 1. Once the ASA5505 establishes isak SA with the PIX, clients behind the ASA5505 lose their connections to the Internet; 2. I have configured backup server (such as another PIX515) on the PIX515.But even when I disconnect the PIX from the net, the SA betwenn the PIX and the ASA5505 still exist, untill I use the clear crypto isa sa command, then the ASA5505 can connect to the backup server. What I need is: As soon as the PIX515 is disconnected, the ASA5505 will immediately switch the backup server without clear crypto isa sa command.
To the first problem, I know there is a command under group-policy should be configured, split-tunnel-policy tunnelspecified ,but it seams not to work.
anyone help will be very appreciated. the configuration is below: —————————————————————————————————————- pixfirewall(config)# sh run : Saved : PIX Version 7.2(1) ! hostname pixfirewall enable password 8Ry2YjIyt7RRXU24 encrypted names ! interface Ethernet0 nameif outside security-level 0 ip address 10.0.0.254 255.255.255.0 ! interface Ethernet1 nameif inside security-level 100 ip address 192.168.2.1 255.255.255.0 ! interface Ethernet2 shutdown no nameif no security-level no ip address ! interface Ethernet3 shutdown no nameif no security-level no ip address ! interface Ethernet4 shutdown no nameif no security-level no ip address ! interface Ethernet5 shutdown no nameif no security-level no ip address ! passwd 2KFQnbNIdI.2KYOU encrypted ftp mode passive access-list out-in extended permit icmp any any access-list group1 extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0 access-list nat0 extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0 pager lines 24 mtu outside 1500 mtu inside 1500 no failover no asdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list nat0 nat (inside) 1 0.0.0.0 0.0.0.0 access-group out-in in interface outside route outside 0.0.0.0 0.0.0.0 10.0.0.1 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout uauth 0:05:00 absolute group-policy group1 internal group-policy group1 attributes split-tunnel-policy tunnelspecified split-tunnel-network-list value group1 nem enable backup-servers 10.0.0.253 username zdh1 password 2r6744/AjVH3mel5 encrypted no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec transform-set vpn esp-des esp-md5-hmac crypto dynamic-map vpn 8 set transform-set vpn crypto map vpn 200 ipsec-isakmp dynamic vpn crypto map vpn interface outside crypto isakmp enable outside crypto isakmp policy 20 authentication pre-share encryption des hash md5 group 2 lifetime 86400 crypto isakmp policy 65535 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 tunnel-group group1 type ipsec-ra tunnel-group group1 general-attributes default-group-policy group1 tunnel-group group1 ipsec-attributes pre-shared-key * telnet timeout 5 ssh timeout 5 console timeout 0 ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp ! service-policy global_policy global prompt hostname context Cryptochecksum:9937e2537e2187d5e14198b845a509fc : end pixfirewall(config)# !!!!!!!!! pixfirewall(config)# sh run cry crypto ipsec transform-set vpn esp-des esp-md5-hmac crypto dynamic-map vpn 8 set transform-set vpn crypto map vpn 200 ipsec-isakmp dynamic vpn crypto map vpn interface outside crypto isakmp enable outside crypto isakmp policy 20 authentication pre-share encryption des hash md5 group 2 lifetime 86400 crypto isakmp policy 65535 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 pixfirewall(config)# sh run grou pixfirewall(config)# sh run group-p pixfirewall(config)# sh run group-policy group-policy group1 internal group-policy group1 attributes split-tunnel-policy tunnelspecified split-tunnel-network-list value group1 nem enable backup-servers 10.0.0.253 pixfirewall(config)# sh run acce pixfirewall(config)# sh run access-l pixfirewall(config)# sh run access-list access-list out-in extended permit icmp any any access-list group1 extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0 access-list nat0 extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0 —————————————————-

Jordan ciscoasa# sh run : Saved : ASA Version 7.2(4) ! hostname ciscoasa enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KYOU encrypted names ! interface Vlan1 nameif inside security-level 100 ip address 192.168.1.1 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 ip address 10.0.0.1 255.255.255.0 ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 ! interface Ethernet0/2 shutdown ! interface Ethernet0/3 shutdown ! interface Ethernet0/4 shutdown ! interface Ethernet0/5 shutdown ! interface Ethernet0/6 shutdown ! interface Ethernet0/7 shutdown ! ftp mode passive pager lines 24 mtu inside 1500 mtu outside 1500 icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-524.bin no asdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 1 0.0.0.0 0.0.0.0 route outside 0.0.0.0 0.0.0.0 10.0.0.253 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto isakmp policy 65535 authentication pre-share encryption des hash md5 group 2 lifetime 86400 telnet timeout 5 ssh timeout 5 console timeout 0 dhcpd address 192.168.1.2-192.168.1.129 inside dhcpd enable inside ! vpnclient server 10.0.0.254 vpnclient mode network-extension-mode vpnclient vpngroup group1 password ******** vpnclient username zdh1 password ******** vpnclient enable ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp inspect icmp ! service-policy global_policy global prompt hostname context Cryptochecksum:1e716346362e34051528b0aed53bfaad : end
Blogs and organic groups at http://www.ccie.net