Cisco pix 501 split tunnelling

Answered Question
Jul 22nd, 2007

Hi,


I have several clients accessing their office via vpn, I wish to grant them access to the internet at the same time through their home internet connection.


Is the easiest route to enable split tunnelling? I'm unsure what I need to add to the config file apart from;


split-tunnel-policy tunnelspecified


I presume that I need to define tunnelspecified as the internal network of the office?


Thanks for your help

Suzanne



Correct Answer by srue about 9 years 7 months ago

access-list splittunnel_acl permit ip localofficehosts 255.255.255.0 vpndhcppool 255.255.255.0

vpngroup group-name split-tunnel splittunnel_acl



your acl will be specific to your setup. as will the vpngroup groupname

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
techsitc10 Mon, 07/23/2007 - 01:29

Hi Jon


Thanks for that prompt reply.


I should have said I'm using a PIX 501 running 6.3 and have PDM 3.0,


which means that the split-tunnel-policy tunnelall command fails and there are not the same options in the gui?


is it possible on the pix 501 ?


Thanks

Suzanne


zulqurnain Mon, 07/23/2007 - 01:42

hi,


for your case here are the steps:

********************************


access-list 101 permit ip 192.168.1.0 255.255.255.0 10.1.1.0

255.255.255.0

access-list 120 permit ip 192.168.1.0 255.255.255.0 10.1.1.0

255.255.255.0


nat (inside) 0 access-list 101


isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400


isakmp identity address

isakmp nat-traversal 20


crypto ipsec transform-set vpnset esp-3des esp-md5-hmac


ip local pool ippool 10.1.1.11-10.1.1.21


vpngroup vpnclient address-pool ippool

vpngroup vpnclient idle-time 1800

vpngroup vpnclient dns-server 172.16.1.1

vpngroup vpnclient password cisco456

vpngroup vpnclient split-tunnel 120


crypto dynamic-map dynmap 10 set transform-set vpnset

crypto map remote_vpn 20 ipsec-isakmp dynamic dynmap


username cisco password cisco123


aaa-server LOCAL protocol local

crypto map remote_vpn client authentication LOCAL

crypto map remote_vpn client configuration address initiate

crypto map remote_vpn client configuration address respond


Regarding the VPN Client, just simply install it by following the

instruction on screen, click "new":


"connection entry" a name for your reference

"host" public ip of the pix 501

"name" vpnclient

"password" cisco456


To initiate a tunnel, double click the entry you just created.


HTH, please rate it

techsitc10 Wed, 07/25/2007 - 07:12

Hi


Sorry its taken a couple of days to come back to you. I firstly tried just ticking the box in the pdm that allows split-tunneling. which allowed my vista pc's to access the vpn and the internet but not the xp ones!


By the way for anyone thinking about ticking that box in the pdm it then stops access to the pdm and you need to make any other changes by the command line.


Anyone know why this is ?

I've tried the solution posted here and while the dns gets resolved the user still cannot access the internet while on the vpn.


I'll include my config in case its been a typo.


Any more advice would be welcome.


thanks

Suzanne




Attachment: 
Correct Answer
srue Wed, 07/25/2007 - 09:44

access-list splittunnel_acl permit ip localofficehosts 255.255.255.0 vpndhcppool 255.255.255.0

vpngroup group-name split-tunnel splittunnel_acl



your acl will be specific to your setup. as will the vpngroup groupname

Actions

This Discussion