VPN Split Tunnel & Group policy

Unanswered Question
Apr 9th, 2008
User Badges:

I'm working with a PIX (V7.2 code) that is set up to only do IPSec connections via the internet. I am trying to add the ability to make unencrypted non IPSec connections to the internet.


In a previous forum post someone suggested I should do split-tunneling. I looked at some Cisco docs but I am haveing a hard time grasping the group policy stuff.


Below is my existing IPSec VPN config.


Can someone give me an example of how to do the split-tunneling/group policy configs as it relates to my situation.


Thanks


Michael



interface Ethernet0

description to the outside

nameif outside

security-level 0

ip address 2.100.211.40 255.255.255.0

ospf cost 10

!

interface Ethernet1

description internal office

nameif internal_net

security-level 100

ip address 10.11.28.100 255.255.255.0

ospf cost 10



object-group network CoLo

network-object 10.0.10.0 255.255.255.0

network-object 10.0.20.0 255.255.255.0

access-list outside_20_cryptomap extended permit ip 10.11.28.0 255.255.255.0 object-group CoLo

access-list outside_nat0_outbound extended permit ip 10.11.28.0 255.255.255.0 object-group CoLo


access-list outside_access_in extended permit ip any 2.100.211.40 255.255.255.252 log

access-list outside_access_in extended permit icmp 10.0.10.0 255.255.255.0 10.11.28.0 255.255.255.0 echo-reply log

access-list outside_access_in extended permit icmp 10.0.20.0 255.255.255.0 10.11.28.0 255.255.255.0 echo-reply log

access-list outside_access_in extended permit tcp 10.0.20.0 255.255.255.0 10.11.28.0 255.255.255.0 eq smtp log

access-list outside_access_in extended permit tcp object-group CoLo 10.11.28.0 255.255.255.0 eq 1111 log


access-list internal_net_access_in extended permit ip 10.11.28.0 255.255.255.0 object-group CoLo


nat (outside) 0 access-list outside_nat0_outbound


route outside 0.0.0.0 0.0.0.0 2.100.211.1 1


no sysopt connection permit-vpn


crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map outside_map 20 match address outside_20_cryptomap

crypto map outside_map 20 set peer 6.45.82.108

crypto map outside_map 20 set transform-set ESP-3DES-SHA

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

tunnel-group 6.45.82.108 type ipsec-l2l

tunnel-group 6.45.82.108 ipsec-attributes

pre-shared-key *



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
acomiskey Wed, 04/09/2008 - 09:27
User Badges:
  • Green, 3000 points or more

This is for a lan to lan tunnel?


Any traffic which is not defined in "outside_20_cryptomap" will not be part of the vpn tunnel and will go out unencrypted. You don't need split tunneling. I would add...


global (outside) 1 interface

nat (inside) 1 0 0


Your nat exemption statement appears to be appplied to the wrong interface. Should be...


nat (inside) 0 access-list inside_nat0_outbound

access-list inside_nat0_outbound extended permit ip 10.11.28.0 255.255.255.0 object-group CoLo


mvhurley9 Wed, 04/09/2008 - 09:57
User Badges:

Yes this is a lan to lan tunnel. The end points are the outside interfaces of 2 PIXs. I do not have access to the PIX at the CoLo.


I was hoping we did not have to do the split-tunnel stuff - seemed rather complicated.


Last night we tried the

global (outside) 1 interface &

nat (inside) 1 0 0 commands and it broke the existing IPSec/VPN connection to the CoLo.

Direct outbound access to the internet worked.

When we removed the commands the VPN tunnels to the CoLo started working again.



As for the following existing config lines, they have been working for some time. I would be reluctant to change them since they are working.


nat (outside) 0 access-list outside_nat0_outbound


access-list outside_nat0_outbound extended permit ip 10.11.28.0 255.255.255.0 object-group CoLo




acomiskey Wed, 04/09/2008 - 10:03
User Badges:
  • Green, 3000 points or more

The only reason those lines are currently working(actually they're not doing anything) is because you are not natting anyway, on the inside or outside. The correct setup is...


global (outside) 1 interface

nat (inside) 1 0 0


nat (outside) 0 access-list inside_nat0_outbound

access-list inside_nat0_outbound extended permit ip 10.11.28.0 255.255.255.0 object-group CoLo


Also, the reason adding the nat and global broke the tunnel is because you are then natting and do not have the correct nat exemption acl (inside_nat0_outbound) in place.


The config above will allow traffic to be exempted from nat when travelling across the tunnel and allow traffic destined to the internet to be port address translated to the outside interface.

mvhurley9 Wed, 04/09/2008 - 11:34
User Badges:

Sorry I'm having trouble understanding how the access list works. I thought the “inside_nat0_outbound” part is just a name and the nat statement relates to the actual interface.


I have to work on something else right now, but I will look at your suggestion more closely and see if we can make changes tonight.


Thanks,


Michael



acomiskey Wed, 04/09/2008 - 11:47
User Badges:
  • Green, 3000 points or more

Yes, you are right. You could leave the name of the acl as "outside_nat0_outbound". The important part is "nat (inside) 0".


I just changed the name so it made more sense.


Oops, just realized my typo, sorry. It should be...


global (outside) 1 interface

nat (inside) 1 0 0


nat (inside) 0 access-list inside_nat0_outbound

access-list inside_nat0_outbound extended permit ip 10.11.28.0 255.255.255.0 object-group CoLo

mvhurley9 Wed, 04/09/2008 - 12:39
User Badges:

Thanks! I will find out when we can try this and let you know how it goes.

mvhurley9 Fri, 04/11/2008 - 08:05
User Badges:

Hey Adam,


Your suggested config worked. Thanks for your help.


Michael

acomiskey Fri, 04/11/2008 - 08:07
User Badges:
  • Green, 3000 points or more

Good to hear. Feel free to rate any helpful posts.

acomiskey Wed, 04/09/2008 - 10:33
User Badges:
  • Green, 3000 points or more

It's already been discussed that we are not talking about remote access vpn here.

Actions

This Discussion