1. Home
  2. Cisco Systems
  3. Cisco VPN Split tunnel

Cisco VPN Split tunnel

Hi All

I new to Cisco firewalls and require some help setting up Cisco VPN Split Tunnels. I've pasted my Config with this message. I think the config sgould enable me to provide Spilt Tunnel VPN

Best Regards

Bhavesh

PIX Version 6.3(3) interface ethernet0 auto interface ethernet1 auto interface ethernet2 auto interface ethernet3 auto shutdown interface ethernet4 auto shutdown interface ethernet5 auto nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 DMZ security10 nameif ethernet3 intf3 security6 nameif ethernet4 intf4 security8 nameif ethernet5 ABLlocal security99 enable password encrypted passwd encrypted hostname IGW-GB-LO-ITI-FW1 domain-name ciscopix.com fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names name 199.100.1.63 BhaveshsPC name 199.100.1.62 VahidsPC name Vahid-Home name 199.100.1.30 AVSrv name 199.100.1.34 ITI00-EXC01 name 199.100.1.32 ITI00-EFE01 name 192.168.154.2 OWAInside name 192.168.154.30 MailSweeper name 192.168.154.25 OWAServer name 199.100.1.21 ITI_AS_400 name 199.100.1.50 Track-IT name 10.75.5.0 ArabellaVL5 name 10.75.27.0 ArabellaVL27 name 10.75.7.0 ArabellaVL7 name 10.75.25.0 ArabellaVL25 name 0.0.0.0 ABLlocal name 199.100.1.0 ITI name 10.75.100.0 Arabellalocal name 84.9.60.140 Vahid-PC name 199.100.1.61 MOFO2 name 199.100.1.174 server1 object-group network StaticIPs network-object VahidsPC 255.255.255.255 network-object BhaveshsPC 255.255.255.255 access-list acl_in permit tcp host ITI00-EFE01 host MailSweeper eq smtp

access-list acl_in permit tcp host BhaveshsPC interface outside eq 3389

access-list acl_in permit udp any any eq domain access-list acl_in permit tcp any any eq www access-list acl_in permit tcp any any eq https access-list acl_in permit tcp host AVSrv any eq ftp access-list acl_in permit tcp host ITI00-EXC01 any eq ftp access-list acl_in permit tcp any any eq ftp access-list acl_in permit tcp any any eq 3101 access-list acl_in permit tcp any any eq 3389 access-list acl_in permit tcp any any eq pcanywhere-data access-list acl_in permit tcp any any eq 5632 access-list acl_in permit icmp host BhaveshsPC any access-list acl_in permit icmp host VahidsPC any access-list acl_in permit tcp any any eq 8080 access-list acl_in permit tcp any any eq 1433 access-list acl_in permit tcp any any eq 3666 access-list acl_in permit ip host server1 10.100.100.0 255.255.255.0 access-list acl_in deny ip any any access-list acl_out permit tcp any host 213.86.97.44 eq https access-list acl_out permit tcp any host 213.86.97.45 eq smtp access-list acl_out permit ip 10.100.100.0 255.255.255.0 any access-list acl_out permit icmp any any echo-reply access-list acl_out permit icmp any any time-exceeded access-list acl_out permit icmp any any unreachable access-list acl_out permit icmp any any parameter-problem access-list acl_out deny ip any any access-list acl_dmz permit tcp host MailSweeper any eq smtp access-list acl_dmz permit tcp host OWAInside any eq https access-list acl_dmz permit tcp host OWAServer any eq https access-list acl_dmz permit tcp host MailSweeper host ITI00-EFE01 eq smtp access-list acl_dmz permit tcp host OWAInside host ITI00-EXC01 eq www access-list acl_dmz permit udp host OWAServer any eq domain access-list acl_dmz permit udp host OWAInside any eq domain access-list acl_dmz permit tcp host MailSweeper any eq ftp access-list acl_dmz permit tcp host MailSweeper any eq https access-list acl_dmz permit udp host MailSweeper any eq domain access-list acl_dmz permit udp any any eq domain access-list acl_dmz permit tcp host OWAServer any eq www access-list acl_dmz permit tcp host MailSweeper any eq www access-list acl_dmz permit tcp host OWAInside any eq www access-list acl_dmz deny ip any any access-list 102 permit ip any 10.100.100.0 255.255.255.0 access-list 102 permit ip ITI 255.255.255.0 192.168.220.0

255.255.255.224 access-list ABLlocal_access_in permit tcp any any eq www access-list ABLlocal_access_in permit tcp any any eq https access-list ABLlocal_access_in permit udp any any access-list ABLlocal_access_in permit tcp any any eq 8080 access-list ABLlocal_access_in permit tcp any any eq ftp access-list ABLlocal_access_in permit tcp any any eq ftp-data access-list ABLlocal_access_in permit icmp any any echo-reply access-list ABLlocal_access_in permit icmp any any traceroute access-list ABLlocal_access_in deny ip any any access-list ITIVPN_splitTunnelAcl permit ip ITI 255.255.255.0 any access-list ITIVPN_splitTunnelAcl permit ip 10.100.100.0 255.255.255.0 any pager lines 24 logging on logging timestamp logging buffered warnings logging trap critical logging host inside BhaveshsPC mtu outside 1500 mtu inside 1500 mtu DMZ 1500 mtu intf3 1500 mtu intf4 1500 mtu ABLlocal 1500 ip address outside 213.86.97.41 255.255.255.248 ip address inside 199.100.1.252 255.255.255.0 ip address DMZ 192.168.154.254 255.255.255.0 no ip address intf3 no ip address intf4 ip address ABLlocal 10.75.100.252 255.255.255.0 ip audit info action alarm ip audit attack action alarm ip local pool vpnpool1 10.100.100.1-10.100.100.254 failover failover timeout 0:00:00 failover poll 15 failover ip address outside failover ip address inside 199.100.1.253 failover ip address DMZ 192.168.154.253 no failover ip address intf3 no failover ip address intf4 no failover ip address ABLlocal pdm location ITI00-EFE01 255.255.255.255 inside pdm location ITI00-EXC01 255.255.255.255 inside pdm location BhaveshsPC 255.255.255.255 inside pdm location OWAInside 255.255.255.255 DMZ pdm location OWAServer 255.255.255.255 DMZ pdm location MailSweeper 255.255.255.255 DMZ pdm location VahidsPC 255.255.255.255 inside pdm location Vahid-Home 255.255.255.255 outside pdm location AVSrv 255.255.255.255 inside pdm location 10.100.100.0 255.255.255.0 outside pdm location ITI_AS_400 255.255.255.255 inside pdm location Track-IT 255.255.255.255 inside pdm location OWAInside 255.255.255.255 outside pdm location MailSweeper 255.255.255.255 outside pdm location ArabellaVL5 255.255.255.0 inside pdm location ArabellaVL7 255.255.255.0 inside pdm location ArabellaVL25 255.255.255.0 inside pdm location ArabellaVL27 255.255.255.0 inside pdm location Vahid-PC 255.255.255.255 outside pdm location MOFO2 255.255.255.255 inside pdm location server1 255.255.255.255 inside pdm group StaticIPs inside pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list 102 nat (inside) 1 ABLlocal 0.0.0.0 0 0 nat (DMZ) 1 ABLlocal 0.0.0.0 0 0 nat (ABLlocal) 1 ABLlocal 0.0.0.0 0 0 static (DMZ,outside) OWAServer netmask 255.255.255.255 0 0 static (DMZ,outside) MailSweeper netmask 255.255.255.255 0 0 static (inside,DMZ) ITI00-EFE01 ITI00-EFE01 netmask 255.255.255.255 0 0

static (inside,DMZ) AVSrv AVSrv netmask 255.255.255.255 0 0 static (inside,DMZ) BhaveshsPC BhaveshsPC netmask 255.255.255.255 0 0 static (inside,DMZ) ITI00-EXC01 ITI00-EXC01 netmask 255.255.255.255 0 0

static (inside,DMZ) ITI_AS_400 ITI_AS_400 netmask 255.255.255.255 0 0 static (inside,outside) ITI_AS_400 ITI_AS_400 netmask 255.255.255.255 0

0 access-group acl_out in interface outside access-group acl_in in interface inside access-group acl_dmz in interface DMZ access-group ABLlocal_access_in in interface ABLlocal route outside ABLlocal ABLlocal 213.86.97.46 1 route inside ArabellaVL5 255.255.255.0 199.100.1.240 1 route inside ArabellaVL7 255.255.255.0 199.100.1.240 1 route inside ArabellaVL25 255.255.255.0 199.100.1.240 1 route inside ArabellaVL27 255.255.255.0 199.100.1.240 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server LOCAL protocol local http server enable http BhaveshsPC 255.255.255.255 inside no snmp-server location no snmp-server contact snmp-server community china3com no snmp-server enable traps floodguard enable sysopt connection permit-ipsec crypto ipsec transform-set ABITI esp-aes-256 esp-sha-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto dynamic-map AB2 10 set transform-set ABITI crypto map AB1 10 ipsec-isakmp dynamic AB2 crypto map AB1 interface outside isakmp enable outside isakmp identity address isakmp nat-traversal 20 isakmp policy 10 authentication pre-share isakmp policy 10 encryption aes-256 isakmp policy 10 hash sha isakmp policy 10 group 2 isakmp policy 10 lifetime 86400 vpngroup ITIVPN address-pool vpnpool1 vpngroup ITIVPN dns-server 199.100.1.31 199.100.1.33 vpngroup ITIVPN default-domain iti.arabbank.plc vpngroup ITIVPN split-tunnel ITIVPN_splitTunnelAcl vpngroup ITIVPN split-dns iti.arabbank.plc arabbank.plc vpngroup ITIVPN idle-time 1800 vpngroup ITIVPN password ******** telnet BhaveshsPC 255.255.255.255 inside telnet timeout 5 ssh timeout 5 console timeout 0 username syrus password encrypted privilege 15 username ITIVPN password encrypted privilege 15 terminal width 80 Cryptochecksum: : end
Reply to
patelbg
Loading thread data ...

Well,

I think that you should be more specific. It doesn't work, right? Then what are the symptoms and what have you already done in order to solve the problem? Now you are asking us to figure out by ourselves what you're up to.

Reply to
Jyri Korhonen

Sorry...

Yes it is not working.... I have not done much yet I was looking for a place to start from.

I have an access list which covers the VPN

access-list ITIVPN_splitTunnelAcl permit ip ITI 255.255.255.0 any access-list ITIVPN_splitTunnelAcl permit ip 10.100.100.0 255.255.255.0 any

and configured VPN via the PDM on the PIX

vpngroup ITIVPN address-pool vpnpool1 vpngroup ITIVPN dns-server 199.100.1.31 199.100.1.33 vpngroup ITIVPN default-domain iti.arabbank.plc vpngroup ITIVPN split-tunnel ITIVPN_splitTunnelAcl vpngroup ITIVPN split-dns iti.arabbank.plc arabbank.plc vpngroup ITIVPN idle-time 1800 vpngroup ITIVPN password ********

Basically when we connect over VPN... we cannot access the Internet. I am not sure where I have gone wrong.

We have an internal network unforuntaly, the old administrator created it using an address scheme of 199.x.x.x/24. Not good as it does conform to normal IP standards for an internal network.

I've created a VPN pool of 10.100.100.0/8 which allows access to the internal subnet

I was wondering if someone could point me in the right direction to why split tunneling is not working ??

Thanks in Advance

Reply to
patelbg

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.