10-26-2007 10:41 AM - edited 02-21-2020 01:44 AM
Hi all. Has anyone successfully allowed inbound VPN connections access to the Internet using this version of PIX? I have a proxy server, but want to remove it from the network. Any thoughts?
Thanks
10-26-2007 10:44 AM
You can set up split tunneling like so...
access-list split-tunnel
vpngroup
So if the tunnel group name is vpngroup, the networks you want to vpn to are 192.168.1.0 and 192.168.2.0, and the vpn client subnet is 192.168.50.0 then...
access-list split-tunnel 192.168.1.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list split-tunnel 192.168.2.0 255.255.255.0 192.168.50.0 255.255.255.0
vpngroup vpngroup split-tunnel split_tunnel
Please rate helpful posts.
10-26-2007 12:47 PM
Do you know if this works with my PIX version?
10-26-2007 12:50 PM
Sure it does.
10-26-2007 12:58 PM
My interntal subnets are 172.17.x.x and 172.16.x.x. My VPN clients get a range of 12.168.201.x.
I want to give the 192.168.201.x subnet access to the Internet while they are connected via VPN.
Sorry, I'm new to PIX.
10-26-2007 05:01 PM
I think it is better to clarify here,as possible are 2 situations:
1) PC connects to PIX by VPN ,but all the Internet traffic bypasses VPN tunnel and goes
out directly from this PC to the INternet
2)PC connects to PIX and all traffic is tunneled through VPN tunnel only,including Internet access - i.e. PC accesses Internet through VPN tunnel then through the PIX then
only to INternet
OPtion 1 is available to any PIX and this is what split tunnel does,see post above.
OPtion 2 is possible only if your PIX has OS
version 7.x or higher.
So please clarify what you are trying to achieve
10-26-2007 08:35 PM
If you provide any document on both options, it would be great.
11-02-2007 05:47 AM
Yuri,
I want to setup option 2 can you point me to some documentation on this configuration or if you have an example config that would be great.
11-03-2007 04:09 PM
Here is example from Cisco:
" PIX/ASA 7.x and VPN Client for Public Internet VPN on a Stick Configuration Example "
Regards,
Yuri.
10-26-2007 07:58 PM
I used this but it doesn't work?
access-list 90 permit ip 172.17.0.0 255.255.0.0 192.168.200.0 255.255.255.0
vpngroup bfpvpn split-tunnel 90
Do I have to apply access-list 90 to the inbound interface? I currently have the following:
access-group 30 in interface outside
access-group 200 in interface inside
access-group 101 in interface dmz1
10-27-2007 04:57 AM
"My VPN clients get a range of 12.168.201.x.
I want to give the 192.168.201.x subnet access to the Internet while they are connected via VPN."
-So is the vpn pool 12.168.201.x or 192.168.201.x? If it's 12.168.201.x like you said above then...
access-list 90 permit ip 172.17.0.0 255.255.0.0 12.168.201.0 255.255.255.0
vpngroup bfpvpn split-tunnel 90
10-30-2007 10:46 PM
You can do it easily through PDM i.e.pix gui. The only thing is to look up each and every option and u must careful to check the split tunnel check box before apply in the process.
10-31-2007 06:33 AM
I just wanted to point out that my clients are using PPTP not IPSEC. How can I make this happen using PPTP?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide