Good morning all,
I'm going to try and post this without having to attach an entire config....
Basically....I am having trouble with split-tunneling, and allowing VPN users access to the DMZ.
The setup is Outside, DMZ, and Corp (inside). Corp is 100, DMZ is 98, and outside is 0 (standard...). For users on the inside (192.168.33.0) they have no problem accessing the web and using DNS servers that are in the DMZ. However, when I create a VPN access group, they have access to the inside, (They are assigned addresses from the same (.33.0) Inside group.) but no name resolution.
So...split tunneling IS working, but for IP addresses only...there is no name resolution for VPN users.
Here is a piece of the config:
hostname pixfirewall domain-name XXXX ftp mode passive dns retries 2 dns timeout 2 dns domain-lookup dmz dns name-server x.x.x.x dns name-server x.x.x.x same-security-traffic permit intra-interface
I was not the one to set up this pix and have never added DNS servers to a PIX unless using it with the DHCPD commands. Because the VPN users come in on the Outside interface, but are then part of the Inside pool, should they not have access to the DMZ? They cannot "see" the .28.0 DMZ.
For Access lists there are many, but regarding this issue and split-tunneling is the following:
access-list outside_access_in extended permit icmp any any echo-reply access-list outside_access_in extended permit icmp any any source-quench access-list outside_access_in extended permit icmp any any unreachable access-list outside_access_in extended permit icmp any any time-exceeded access-list inside_access_in extended permit ip 192.168.0.0 255.255.0.0 any access-list corp_nat0_outbound extended permit ip any 192.168.31.025126.96.36.199 access-list XXX_splitTunnelAcl standard permit 192.168.33.0 255.255.255.0 access-list corp_inside_access_in extended permit tcp any anyaccess-list inside_access_in extended permit ip Private-subnet 255.255.0.0 any
and the attributes:
group-policy XXX internal group-policy XXX attributes dns-server value 192.168.28.1 192.168.28.2 vpn-simultaneous-logins 3 vpn-idle-timeout 30 vpn-tunnel-protocol IPSec pfs enable split-tunnel-policy tunnelspecified split-tunnel-network-list value XXX_splitTunnelAcl default-domain value XXX.com
Does anything jump out to you guys as being blatantly wrong? Like I said, I've never used that "dns domain-lookup DMZ" command before. I would think that the VPN users would inherit the "100" security and be able to access anything lower, but I guess not.....