08-26-2007 06:54 AM - edited 03-11-2019 04:02 AM
I have a strange issue with split-tunnel operation on a PIX firewall.
There is a VPN client connection configured, which works find. However split tunnel is configured which allows simultanious access to the internal network, and the internet. But by my reading of the configuration it shouldn't!! The split tunnel ACL matches any traffic, therfore only access to the internel network should be possible. What am I missing?
Here are sections of the config, the firewall is running PIX V7.0 software.
tunnel-group customer-Remote type ipsec-ra
tunnel-group customer-Remote general-attributes
address-pool remote-cust
authentication-server-group GG-VPN-Users LOCAL
authorization-server-group LOCAL
default-group-policy customer-Remote
group-policy customer-Remote internal
group-policy customer-Remote attributes
banner value Access to this device is strictly for customer employees only.
banner value This link is fully monitored and any unauthorized users will be prosecuted
banner value to the full extent of the law in the country in which the access was initiated.
dns-server value 172.30.2.3 195.110.64.205
split-tunnel-policy tunnelspecified
split-tunnel-network-list value customer-Remote_splitTunnelAcl
default-domain value int.customer.com
access-list customer-Remote_splitTunnelAcl; 1 elements
access-list customer-Remote_splitTunnelAcl line 1 standard permit any
08-28-2007 04:43 AM
be more specific with your acl - make it an extended acl, allowing communication only between your remote clients and local networks.
I'm a bit confused by what you want, do you want to allow split tunneling or not?
08-28-2007 06:12 AM
I have inherited this configuration, split-tunnelin is required, and is working with this configuration.
I just don't understand how it is working, from my understanding the split-tunnel ACL defines the traffic thet should go through the VPN. As it specifies "any" all traffic should go through, but it doesn't. If somone can explain why I would be greatfull.
08-28-2007 06:22 AM
Mark,
You are correct in your assumption.
While you are connected to the vpn, please open your client and select Status -> Statistics -> Route Details. On the Secured Routes pane you should see 0.0.0.0/0.0.0.0.
Is it possible you are using outside nat for the vpn clients? Something like this...
nat (outside) 1
global (outside) 1 interface
08-28-2007 07:08 AM
The secured routes are as you suggest, and there are no local LAN routes.
There are nat rules
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
and the IP addresses in the pool are included in the ACL inside_nat0_outbound.
However I don't think the traffic is going through and then to the internet, if I run a tracert from my local PC to ftp.cisco.com, it takes the same route with the client running as without. The first hop my local ADSL router in both cases.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: