VPN Split Tunnel & Group policy

mvhurley9 · ‎04-09-2008

I'm working with a PIX (V7.2 code) that is set up to only do IPSec connections via the internet. I am trying to add the ability to make unencrypted non IPSec connections to the internet.

In a previous forum post someone suggested I should do split-tunneling. I looked at some Cisco docs but I am haveing a hard time grasping the group policy stuff.

Below is my existing IPSec VPN config.

Can someone give me an example of how to do the split-tunneling/group policy configs as it relates to my situation.

Thanks

Michael

interface Ethernet0

description to the outside

nameif outside

security-level 0

ip address 2.100.211.40 255.255.255.0

ospf cost 10

!

interface Ethernet1

description internal office

nameif internal_net

security-level 100

ip address 10.11.28.100 255.255.255.0

ospf cost 10

object-group network CoLo

network-object 10.0.10.0 255.255.255.0

network-object 10.0.20.0 255.255.255.0

access-list outside_20_cryptomap extended permit ip 10.11.28.0 255.255.255.0 object-group CoLo

access-list outside_nat0_outbound extended permit ip 10.11.28.0 255.255.255.0 object-group CoLo

access-list outside_access_in extended permit ip any 2.100.211.40 255.255.255.252 log

access-list outside_access_in extended permit icmp 10.0.10.0 255.255.255.0 10.11.28.0 255.255.255.0 echo-reply log

access-list outside_access_in extended permit icmp 10.0.20.0 255.255.255.0 10.11.28.0 255.255.255.0 echo-reply log

access-list outside_access_in extended permit tcp 10.0.20.0 255.255.255.0 10.11.28.0 255.255.255.0 eq smtp log

access-list outside_access_in extended permit tcp object-group CoLo 10.11.28.0 255.255.255.0 eq 1111 log

access-list internal_net_access_in extended permit ip 10.11.28.0 255.255.255.0 object-group CoLo

nat (outside) 0 access-list outside_nat0_outbound

route outside 0.0.0.0 0.0.0.0 2.100.211.1 1

no sysopt connection permit-vpn

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map outside_map 20 match address outside_20_cryptomap

crypto map outside_map 20 set peer 6.45.82.108

crypto map outside_map 20 set transform-set ESP-3DES-SHA

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

tunnel-group 6.45.82.108 type ipsec-l2l

tunnel-group 6.45.82.108 ipsec-attributes

pre-shared-key *

acomiskey · ‎04-09-2008

This is for a lan to lan tunnel?

Any traffic which is not defined in "outside_20_cryptomap" will not be part of the vpn tunnel and will go out unencrypted. You don't need split tunneling. I would add...

global (outside) 1 interface

nat (inside) 1 0 0

Your nat exemption statement appears to be appplied to the wrong interface. Should be...

nat (inside) 0 access-list inside_nat0_outbound

access-list inside_nat0_outbound extended permit ip 10.11.28.0 255.255.255.0 object-group CoLo

mvhurley9 · ‎04-09-2008

Yes this is a lan to lan tunnel. The end points are the outside interfaces of 2 PIXs. I do not have access to the PIX at the CoLo.

I was hoping we did not have to do the split-tunnel stuff - seemed rather complicated.

Last night we tried the

global (outside) 1 interface &

nat (inside) 1 0 0 commands and it broke the existing IPSec/VPN connection to the CoLo.

Direct outbound access to the internet worked.

When we removed the commands the VPN tunnels to the CoLo started working again.

As for the following existing config lines, they have been working for some time. I would be reluctant to change them since they are working.

nat (outside) 0 access-list outside_nat0_outbound

access-list outside_nat0_outbound extended permit ip 10.11.28.0 255.255.255.0 object-group CoLo

acomiskey · ‎04-09-2008

The only reason those lines are currently working(actually they're not doing anything) is because you are not natting anyway, on the inside or outside. The correct setup is...

global (outside) 1 interface

nat (inside) 1 0 0

nat (outside) 0 access-list inside_nat0_outbound

access-list inside_nat0_outbound extended permit ip 10.11.28.0 255.255.255.0 object-group CoLo

Also, the reason adding the nat and global broke the tunnel is because you are then natting and do not have the correct nat exemption acl (inside_nat0_outbound) in place.

The config above will allow traffic to be exempted from nat when travelling across the tunnel and allow traffic destined to the internet to be port address translated to the outside interface.

mvhurley9 · ‎04-09-2008

Sorry I'm having trouble understanding how the access list works. I thought the â€œinside_nat0_outboundâ€ part is just a name and the nat statement relates to the actual interface.

I have to work on something else right now, but I will look at your suggestion more closely and see if we can make changes tonight.

Thanks,

Michael

acomiskey · ‎04-09-2008

Yes, you are right. You could leave the name of the acl as "outside_nat0_outbound". The important part is "nat (inside) 0".

I just changed the name so it made more sense.

Oops, just realized my typo, sorry. It should be...

global (outside) 1 interface

nat (inside) 1 0 0

nat (inside) 0 access-list inside_nat0_outbound

access-list inside_nat0_outbound extended permit ip 10.11.28.0 255.255.255.0 object-group CoLo

mvhurley9 · ‎04-09-2008

Thanks! I will find out when we can try this and let you know how it goes.

mvhurley9 · ‎04-11-2008

Hey Adam,

Your suggested config worked. Thanks for your help.

Michael

acomiskey · ‎04-11-2008

Good to hear. Feel free to rate any helpful posts.

kaachary · ‎04-09-2008

This configuration doesnt have Remote Access IPSec commands added yet ? Anyways, split tunneling is a concept only for Remote Access. Please see :

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080702999.shtml

acomiskey · ‎04-09-2008

It's already been discussed that we are not talking about remote access vpn here.