Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
707
Views
0
Helpful
1
Replies

Cisco PIX 506E - Split Tunnel Command

paul.baird
Level 1
Level 1

‎08-09-2007 12:46 AM - edited ‎02-21-2020 01:38 AM

Morning All I was wondering if somebody could help me with the split-tunnel command. I am trying to allow my VPN users internet access from their own PC's while connected to VPN. I have added the split-tunnel command in the VPN config but not sure what to added in the access list. Any help would be much appreciated, here is my config:

nameif ethernet0 outside security0

nameif ethernet1 inside security100

interface ethernet0 100full

interface ethernet1 100full

ip address outside 217.34.xxx.xxx 255.255.255.240

ip address inside 10.1.1.1 255.0.0.0

route outside 0.0.0.0 0.0.0.0 217.34.xxx.xxx 1

nat (inside) 1 10.0.0.0 255.0.0.0 0 0

global (outside) 1 interface

static (inside,outside) tcp 217.34.xxx.xxx 21685 10.1.2.150 21685

static (inside,outside) tcp 217.34.xxx.xxx ftp 10.1.2.150 ftp

static (inside,outside) tcp 217.34.xxx.xxx http 10.1.1.3 http

static (inside,outside) tcp 217.34.xxx.xxx https 10.1.1.3 https

access-list 101 permit tcp any host 217.34.xxx.xxx eq ftp

access-list 101 permit tcp any host 217.34.xxx.xxx eq http

access-list 101 permit tcp any host 217.34.xxx.xxx eq https

access-list 101 permit icmp any host 217.34.xxx.xxx echo-reply

access-list 101 permit icmp any host 217.34.xxx.xxx time-exceeded

access-list 101 permit icmp any host 217.34.xxx.xxx unreachable

access-group 101 in interface outside

no fixup protocol ftp 21

no fixup protocol dns

!--- Enable logging

logging on

logging trap 4

logging host 10.1.1.3

telnet 10.0.0.0 255.0.0.0 inside

telnet 192.168.50.0 255.255.255.0 inside

http server enable

http 10.0.0.0 255.0.0.0 inside

pdm history enable

!--- SSH for use with Putty

aaa authentication ssh console LOCAL

ssh 192.168.1.0 255.255.255.0 inside

ssh timeout 5

!--- Firewall details and passwords

hostname FIREWALL

domain-name C2.local

en pass *************

pass *************

ip local pool VPN_Pool 192.168.50.1-192.168.50.254

access-list 101 permit ip 10.0.0.0 255.0.0.0 192.168.50.0 255.255.255.0

nat (inside) 0 access-list 101

!--- For Cisco VPN Client

sysopt connection permit-ipsec

crypto ipsec transform-set VPN_Trans esp-aes-256 esp-md5-hmac

crypto dynamic-map VPN_Dyn 10 set transform-set VPN_Trans

crypto map VPN_Crypto 10 ipsec-isakmp dynamic VPN_Dyn

crypto map VPN_Crypto interface outside

isakmp enable outside

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption aes-256

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup C2_VPNGROUP address-pool VPN_Pool

vpngroup C2_VPNGROUP wins-server 10.1.1.3

vpngroup C2_VPNGROUP dns-server 10.1.1.3

vpngroup C2_VPNGROUP default-domain c2.local

vpngroup C2_VPNGROUP split-tunnel 101

vpngroup C2_VPNGROUP idle-time 1800

vpngroup C2_VPNGROUP password *************

isakmp nat-traversal 20

0 Helpful
1 Reply 1

paul.baird
Level 1
Level 1

‎08-10-2007 01:02 AM

Fixed my own problem, moved the split-tunnel to its own access list and all worked fine.

access-list 102 permit ip 10.0.0.0 255.0.0.0 192.168.50.0 255.255.255.0

nat (inside) 0 access-list 102

.

.

.

.

vpngroup C2_VPNGROUP split-tunnel 102

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card