Split Tunnel with PIX 515 6.3(4)

slayerhawk · ‎10-26-2007

Hi all. Has anyone successfully allowed inbound VPN connections access to the Internet using this version of PIX? I have a proxy server, but want to remove it from the network. Any thoughts?

Thanks

acomiskey · ‎10-26-2007

You can set up split tunneling like so...

access-list split-tunnel

vpngroup split-tunnel split_tunnel

So if the tunnel group name is vpngroup, the networks you want to vpn to are 192.168.1.0 and 192.168.2.0, and the vpn client subnet is 192.168.50.0 then...

access-list split-tunnel 192.168.1.0 255.255.255.0 192.168.50.0 255.255.255.0

access-list split-tunnel 192.168.2.0 255.255.255.0 192.168.50.0 255.255.255.0

vpngroup vpngroup split-tunnel split_tunnel

Please rate helpful posts.

slayerhawk · ‎10-26-2007

Do you know if this works with my PIX version?

acomiskey · ‎10-26-2007

Sure it does.

slayerhawk · ‎10-26-2007

My interntal subnets are 172.17.x.x and 172.16.x.x. My VPN clients get a range of 12.168.201.x.

I want to give the 192.168.201.x subnet access to the Internet while they are connected via VPN.

Sorry, I'm new to PIX.

yuri_slobodyanyuk · ‎10-26-2007

I think it is better to clarify here,as possible are 2 situations:

1) PC connects to PIX by VPN ,but all the Internet traffic bypasses VPN tunnel and goes

out directly from this PC to the INternet

2)PC connects to PIX and all traffic is tunneled through VPN tunnel only,including Internet access - i.e. PC accesses Internet through VPN tunnel then through the PIX then

only to INternet

OPtion 1 is available to any PIX and this is what split tunnel does,see post above.

OPtion 2 is possible only if your PIX has OS

version 7.x or higher.

So please clarify what you are trying to achieve

CiscogeekIND · ‎10-26-2007

If you provide any document on both options, it would be great.

Michael.Tuggle · ‎11-02-2007

Yuri,

I want to setup option 2 can you point me to some documentation on this configuration or if you have an example config that would be great.

yuri_slobodyanyuk · ‎11-03-2007

Here is example from Cisco:

" PIX/ASA 7.x and VPN Client for Public Internet VPN on a Stick Configuration Example "

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00805734ae.shtml

Regards,

Yuri.

slayerhawk · ‎10-26-2007

I used this but it doesn't work?

access-list 90 permit ip 172.17.0.0 255.255.0.0 192.168.200.0 255.255.255.0

vpngroup bfpvpn split-tunnel 90

Do I have to apply access-list 90 to the inbound interface? I currently have the following:

access-group 30 in interface outside

access-group 200 in interface inside

access-group 101 in interface dmz1

acomiskey · ‎10-27-2007

"My VPN clients get a range of 12.168.201.x.

I want to give the 192.168.201.x subnet access to the Internet while they are connected via VPN."

-So is the vpn pool 12.168.201.x or 192.168.201.x? If it's 12.168.201.x like you said above then...

access-list 90 permit ip 172.17.0.0 255.255.0.0 12.168.201.0 255.255.255.0

vpngroup bfpvpn split-tunnel 90

santukumar · ‎10-30-2007

You can do it easily through PDM i.e.pix gui. The only thing is to look up each and every option and u must careful to check the split tunnel check box before apply in the process.

slayerhawk · ‎10-31-2007

I just wanted to point out that my clients are using PPTP not IPSEC. How can I make this happen using PPTP?