Split-tunnel Problem

Unanswered Question
Aug 26th, 2007

I have a strange issue with split-tunnel operation on a PIX firewall.

There is a VPN client connection configured, which works find. However split tunnel is configured which allows simultanious access to the internal network, and the internet. But by my reading of the configuration it shouldn't!! The split tunnel ACL matches any traffic, therfore only access to the internel network should be possible. What am I missing?

Here are sections of the config, the firewall is running PIX V7.0 software.

tunnel-group customer-Remote type ipsec-ra

tunnel-group customer-Remote general-attributes

address-pool remote-cust

authentication-server-group GG-VPN-Users LOCAL

authorization-server-group LOCAL

default-group-policy customer-Remote

group-policy customer-Remote internal

group-policy customer-Remote attributes

banner value Access to this device is strictly for customer employees only.

banner value This link is fully monitored and any unauthorized users will be prosecuted

banner value to the full extent of the law in the country in which the access was initiated.

dns-server value 172.30.2.3 195.110.64.205

split-tunnel-policy tunnelspecified

split-tunnel-network-list value customer-Remote_splitTunnelAcl

default-domain value int.customer.com

access-list customer-Remote_splitTunnelAcl; 1 elements

access-list customer-Remote_splitTunnelAcl line 1 standard permit any

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
srue Tue, 08/28/2007 - 04:43

be more specific with your acl - make it an extended acl, allowing communication only between your remote clients and local networks.

I'm a bit confused by what you want, do you want to allow split tunneling or not?

mark.j.hodge Tue, 08/28/2007 - 06:12

I have inherited this configuration, split-tunnelin is required, and is working with this configuration.

I just don't understand how it is working, from my understanding the split-tunnel ACL defines the traffic thet should go through the VPN. As it specifies "any" all traffic should go through, but it doesn't. If somone can explain why I would be greatfull.

acomiskey Tue, 08/28/2007 - 06:22

Mark,

You are correct in your assumption.

While you are connected to the vpn, please open your client and select Status -> Statistics -> Route Details. On the Secured Routes pane you should see 0.0.0.0/0.0.0.0.

Is it possible you are using outside nat for the vpn clients? Something like this...

nat (outside) 1 outside

global (outside) 1 interface

mark.j.hodge Tue, 08/28/2007 - 07:08

The secured routes are as you suggest, and there are no local LAN routes.

There are nat rules

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

and the IP addresses in the pool are included in the ACL inside_nat0_outbound.

However I don't think the traffic is going through and then to the internet, if I run a tracert from my local PC to ftp.cisco.com, it takes the same route with the client running as without. The first hop my local ADSL router in both cases.

Actions

This Discussion