04-09-2008 08:56 AM
I'm working with a PIX (V7.2 code) that is set up to only do IPSec connections via the internet. I am trying to add the ability to make unencrypted non IPSec connections to the internet.
In a previous forum post someone suggested I should do split-tunneling. I looked at some Cisco docs but I am haveing a hard time grasping the group policy stuff.
Below is my existing IPSec VPN config.
Can someone give me an example of how to do the split-tunneling/group policy configs as it relates to my situation.
Thanks
Michael
interface Ethernet0
description to the outside
nameif outside
security-level 0
ip address 2.100.211.40 255.255.255.0
ospf cost 10
!
interface Ethernet1
description internal office
nameif internal_net
security-level 100
ip address 10.11.28.100 255.255.255.0
ospf cost 10
object-group network CoLo
network-object 10.0.10.0 255.255.255.0
network-object 10.0.20.0 255.255.255.0
access-list outside_20_cryptomap extended permit ip 10.11.28.0 255.255.255.0 object-group CoLo
access-list outside_nat0_outbound extended permit ip 10.11.28.0 255.255.255.0 object-group CoLo
access-list outside_access_in extended permit ip any 2.100.211.40 255.255.255.252 log
access-list outside_access_in extended permit icmp 10.0.10.0 255.255.255.0 10.11.28.0 255.255.255.0 echo-reply log
access-list outside_access_in extended permit icmp 10.0.20.0 255.255.255.0 10.11.28.0 255.255.255.0 echo-reply log
access-list outside_access_in extended permit tcp 10.0.20.0 255.255.255.0 10.11.28.0 255.255.255.0 eq smtp log
access-list outside_access_in extended permit tcp object-group CoLo 10.11.28.0 255.255.255.0 eq 1111 log
access-list internal_net_access_in extended permit ip 10.11.28.0 255.255.255.0 object-group CoLo
nat (outside) 0 access-list outside_nat0_outbound
route outside 0.0.0.0 0.0.0.0 2.100.211.1 1
no sysopt connection permit-vpn
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 20 match address outside_20_cryptomap
crypto map outside_map 20 set peer 6.45.82.108
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group 6.45.82.108 type ipsec-l2l
tunnel-group 6.45.82.108 ipsec-attributes
pre-shared-key *
04-09-2008 09:27 AM
This is for a lan to lan tunnel?
Any traffic which is not defined in "outside_20_cryptomap" will not be part of the vpn tunnel and will go out unencrypted. You don't need split tunneling. I would add...
global (outside) 1 interface
nat (inside) 1 0 0
Your nat exemption statement appears to be appplied to the wrong interface. Should be...
nat (inside) 0 access-list inside_nat0_outbound
access-list inside_nat0_outbound extended permit ip 10.11.28.0 255.255.255.0 object-group CoLo
04-09-2008 09:57 AM
Yes this is a lan to lan tunnel. The end points are the outside interfaces of 2 PIXs. I do not have access to the PIX at the CoLo.
I was hoping we did not have to do the split-tunnel stuff - seemed rather complicated.
Last night we tried the
global (outside) 1 interface &
nat (inside) 1 0 0 commands and it broke the existing IPSec/VPN connection to the CoLo.
Direct outbound access to the internet worked.
When we removed the commands the VPN tunnels to the CoLo started working again.
As for the following existing config lines, they have been working for some time. I would be reluctant to change them since they are working.
nat (outside) 0 access-list outside_nat0_outbound
access-list outside_nat0_outbound extended permit ip 10.11.28.0 255.255.255.0 object-group CoLo
04-09-2008 10:03 AM
The only reason those lines are currently working(actually they're not doing anything) is because you are not natting anyway, on the inside or outside. The correct setup is...
global (outside) 1 interface
nat (inside) 1 0 0
nat (outside) 0 access-list inside_nat0_outbound
access-list inside_nat0_outbound extended permit ip 10.11.28.0 255.255.255.0 object-group CoLo
Also, the reason adding the nat and global broke the tunnel is because you are then natting and do not have the correct nat exemption acl (inside_nat0_outbound) in place.
The config above will allow traffic to be exempted from nat when travelling across the tunnel and allow traffic destined to the internet to be port address translated to the outside interface.
04-09-2008 11:34 AM
Sorry I'm having trouble understanding how the access list works. I thought the âinside_nat0_outboundâ part is just a name and the nat statement relates to the actual interface.
I have to work on something else right now, but I will look at your suggestion more closely and see if we can make changes tonight.
Thanks,
Michael
04-09-2008 11:47 AM
Yes, you are right. You could leave the name of the acl as "outside_nat0_outbound". The important part is "nat (inside) 0".
I just changed the name so it made more sense.
Oops, just realized my typo, sorry. It should be...
global (outside) 1 interface
nat (inside) 1 0 0
nat (inside) 0 access-list inside_nat0_outbound
access-list inside_nat0_outbound extended permit ip 10.11.28.0 255.255.255.0 object-group CoLo
04-09-2008 12:39 PM
Thanks! I will find out when we can try this and let you know how it goes.
04-11-2008 08:05 AM
Hey Adam,
Your suggested config worked. Thanks for your help.
Michael
04-11-2008 08:07 AM
Good to hear. Feel free to rate any helpful posts.
04-09-2008 10:31 AM
This configuration doesnt have Remote Access IPSec commands added yet ? Anyways, split tunneling is a concept only for Remote Access. Please see :
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080702999.shtml
04-09-2008 10:33 AM
It's already been discussed that we are not talking about remote access vpn here.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: