07-22-2007 01:53 PM - edited 03-11-2019 03:47 AM
Hi,
I have several clients accessing their office via vpn, I wish to grant them access to the internet at the same time through their home internet connection.
Is the easiest route to enable split tunnelling? I'm unsure what I need to add to the config file apart from;
split-tunnel-policy tunnelspecified
I presume that I need to define tunnelspecified as the internal network of the office?
Thanks for your help
Suzanne
Solved! Go to Solution.
07-25-2007 09:44 AM
access-list splittunnel_acl permit ip localofficehosts 255.255.255.0 vpndhcppool 255.255.255.0
vpngroup group-name split-tunnel splittunnel_acl
your acl will be specific to your setup. as will the vpngroup groupname
07-22-2007 02:11 PM
Hi Suzanne
Yes, you need to define the corporate network with an access-list to enable split tunnelling.
Attached is a link to configuring split tunnelling on ASA using either ASDM or the CLI.
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080702999.shtml
HTH
Jon
07-23-2007 01:29 AM
Hi Jon
Thanks for that prompt reply.
I should have said I'm using a PIX 501 running 6.3 and have PDM 3.0,
which means that the split-tunnel-policy tunnelall command fails and there are not the same options in the gui?
is it possible on the pix 501 ?
Thanks
Suzanne
07-23-2007 01:42 AM
hi,
for your case here are the steps:
********************************
access-list 101 permit ip 192.168.1.0 255.255.255.0 10.1.1.0
255.255.255.0
access-list 120 permit ip 192.168.1.0 255.255.255.0 10.1.1.0
255.255.255.0
nat (inside) 0 access-list 101
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp identity address
isakmp nat-traversal 20
crypto ipsec transform-set vpnset esp-3des esp-md5-hmac
ip local pool ippool 10.1.1.11-10.1.1.21
vpngroup vpnclient address-pool ippool
vpngroup vpnclient idle-time 1800
vpngroup vpnclient dns-server 172.16.1.1
vpngroup vpnclient password cisco456
vpngroup vpnclient split-tunnel 120
crypto dynamic-map dynmap 10 set transform-set vpnset
crypto map remote_vpn 20 ipsec-isakmp dynamic dynmap
username cisco password cisco123
aaa-server LOCAL protocol local
crypto map remote_vpn client authentication LOCAL
crypto map remote_vpn client configuration address initiate
crypto map remote_vpn client configuration address respond
Regarding the VPN Client, just simply install it by following the
instruction on screen, click "new":
"connection entry" a name for your reference
"host" public ip of the pix 501
"name" vpnclient
"password" cisco456
To initiate a tunnel, double click the entry you just created.
HTH, please rate it
07-25-2007 07:12 AM
Hi
Sorry its taken a couple of days to come back to you. I firstly tried just ticking the box in the pdm that allows split-tunneling. which allowed my vista pc's to access the vpn and the internet but not the xp ones!
By the way for anyone thinking about ticking that box in the pdm it then stops access to the pdm and you need to make any other changes by the command line.
Anyone know why this is ?
I've tried the solution posted here and while the dns gets resolved the user still cannot access the internet while on the vpn.
I'll include my config in case its been a typo.
Any more advice would be welcome.
thanks
Suzanne
07-25-2007 09:44 AM
access-list splittunnel_acl permit ip localofficehosts 255.255.255.0 vpndhcppool 255.255.255.0
vpngroup group-name split-tunnel splittunnel_acl
your acl will be specific to your setup. as will the vpngroup groupname
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide