Cisco PIX 506E - Split Tunnel Command

Unanswered Question

Morning All I was wondering if somebody could help me with the split-tunnel command. I am trying to allow my VPN users internet access from their own PC's while connected to VPN. I have added the split-tunnel command in the VPN config but not sure what to added in the access list. Any help would be much appreciated, here is my config:


nameif ethernet0 outside security0

nameif ethernet1 inside security100


interface ethernet0 100full

interface ethernet1 100full


ip address outside 217.34.xxx.xxx 255.255.255.240

ip address inside 10.1.1.1 255.0.0.0


route outside 0.0.0.0 0.0.0.0 217.34.xxx.xxx 1


nat (inside) 1 10.0.0.0 255.0.0.0 0 0

global (outside) 1 interface


static (inside,outside) tcp 217.34.xxx.xxx 21685 10.1.2.150 21685

static (inside,outside) tcp 217.34.xxx.xxx ftp 10.1.2.150 ftp

static (inside,outside) tcp 217.34.xxx.xxx http 10.1.1.3 http

static (inside,outside) tcp 217.34.xxx.xxx https 10.1.1.3 https


access-list 101 permit tcp any host 217.34.xxx.xxx eq ftp

access-list 101 permit tcp any host 217.34.xxx.xxx eq http

access-list 101 permit tcp any host 217.34.xxx.xxx eq https

access-list 101 permit icmp any host 217.34.xxx.xxx echo-reply

access-list 101 permit icmp any host 217.34.xxx.xxx time-exceeded

access-list 101 permit icmp any host 217.34.xxx.xxx unreachable


access-group 101 in interface outside


no fixup protocol ftp 21

no fixup protocol dns


!--- Enable logging

logging on

logging trap 4

logging host 10.1.1.3


telnet 10.0.0.0 255.0.0.0 inside

telnet 192.168.50.0 255.255.255.0 inside


http server enable

http 10.0.0.0 255.0.0.0 inside

pdm history enable


!--- SSH for use with Putty

aaa authentication ssh console LOCAL

ssh 192.168.1.0 255.255.255.0 inside

ssh timeout 5


!--- Firewall details and passwords

hostname FIREWALL

domain-name C2.local

en pass *************

pass *************


ip local pool VPN_Pool 192.168.50.1-192.168.50.254

access-list 101 permit ip 10.0.0.0 255.0.0.0 192.168.50.0 255.255.255.0

nat (inside) 0 access-list 101



!--- For Cisco VPN Client

sysopt connection permit-ipsec

crypto ipsec transform-set VPN_Trans esp-aes-256 esp-md5-hmac

crypto dynamic-map VPN_Dyn 10 set transform-set VPN_Trans

crypto map VPN_Crypto 10 ipsec-isakmp dynamic VPN_Dyn

crypto map VPN_Crypto interface outside

isakmp enable outside

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption aes-256

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup C2_VPNGROUP address-pool VPN_Pool

vpngroup C2_VPNGROUP wins-server 10.1.1.3

vpngroup C2_VPNGROUP dns-server 10.1.1.3

vpngroup C2_VPNGROUP default-domain c2.local

vpngroup C2_VPNGROUP split-tunnel 101

vpngroup C2_VPNGROUP idle-time 1800

vpngroup C2_VPNGROUP password *************

isakmp nat-traversal 20



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

Actions

This Discussion