Split Tunnel VPN to Public IP Behind Pix

Unanswered Question
Jun 5th, 2008

Please see my config below. I have 2 site to site VPNs setup and a pool of Remote VPN users. The site to site VPNs have overlapping private network ranges (192.168.1.x) with my private range which I use for both the hosts that site behind my firewall as well as the remote users (bad practice I know, I'll correct it soon). I've successfully allowed the Site to Site VPN users to access the PUBLIC IP address of 2 specific hosts behind my pix. My remote VPN users can access the 2 specific hosts via the PRIVATE IP addresses only. All other public traffic to the two hosts should be blocked. The problem is, I want the Remote VPN hosts to access these 2 specific hosts by using the public IP address via the VPN tunnel...if I do this now, it uses the internet to resolve the IP and thus gets blocked since no outside traffic is allowed to those hosts. How can I make the traffic to the two hosts go over my remote VPN instead of the internet when split tunneling?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
clinchpoop Thu, 06/05/2008 - 11:54

PIX Version 7.0(7)

!

hostname XXXX

domain-name XXXX

enable password xxx

names

dns-guard

!

interface Ethernet0

nameif outside

security-level 0

ip address XXX.XXX.XXX.XXX 255.255.255.0

!

interface Ethernet1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

passwd xxx

banner login Enter your password!

boot system flash:/image.bin

ftp mode passive

clock timezone CST -6

clock summer-time CDT recurring 1 Sun Apr 2:00 last Sun Oct 2:00

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list internal standard permit any

access-list ACL_OUT extended permit ip 192.168.1.0 255.255.255.0 host HOST-A-PUBLIC-IP

access-list ACL_OUT extended permit ip 192.168.1.0 255.255.255.0 host HOST-B-PUBLIC-IP

access-list inside_nat0_outbound extended permit ip host 192.168.1.7 192.168.1.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip any 192.168.1.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip host 192.168.1.4 192.168.1.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip host 192.168.1.3 192.168.1.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip host 192.168.1.2 192.168.1.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip host 192.168.1.6 192.168.1.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip host 192.168.1.5 192.168.1.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip host 192.168.1.10 192.168.1.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip host 192.168.1.9 192.168.1.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 host HOST-A-PUBLIC-IP

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 host HOST-B-PUBLIC-IP

access-list Reg_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0

access-list Reg_splitTunnelAcl standard permit host HOST-A-PUBLIC-IP

access-list Reg_splitTunnelAcl standard permit host HOST-B-PUBLIC-IP

access-list INBOUND extended permit esp any interface outside

access-list outside_cryptomap_20 extended permit ip host 192.168.1.9 host XXX

access-list outside_cryptomap_20 extended permit ip host 192.168.1.10 host XXX

access-list outside_cryptomap_20 extended permit ip host 192.168.1.9 host XXX

access-list outside_cryptomap_20 extended permit ip host 192.168.1.10 host XXX

access-list outside_cryptomap_20 extended permit ip host 192.168.1.10 host XXX

access-list outside_cryptomap_20 extended permit ip host 192.168.1.9 host XXX

access-list outside_cryptomap_20 extended permit ip 192.168.1.0 255.255.255.0 host HOST-A-PUBLIC-IP

access-list outside_cryptomap_20 extended permit ip 192.168.1.0 255.255.255.0 host HOST-B-PUBLIC-IP

access-list outside_cryptomap_40 extended permit ip host 192.168.1.9 host XX

access-list outside_cryptomap_40 extended permit ip host 192.168.1.9 host XXX

access-list outside_cryptomap_40 extended permit ip host 192.168.1.10 host XXX

access-list outside_cryptomap_40 extended permit ip host 192.168.1.10 host XXX

clinchpoop Thu, 06/05/2008 - 11:55

pager lines 24

logging enable

logging buffered debugging

logging asdm informational

mtu outside 1500

mtu inside 1500

ip local pool vpnpool 192.168.1.100-192.168.1.150 mask 255.255.255.0

asdm image flash:/asdm-507.bin

asdm location 192.168.1.9 255.255.255.255 inside

asdm location 192.168.1.10 255.255.255.255 inside

asdm history enable

arp timeout 14400

nat-control

global (outside) 1 interface

nat (outside) 1 192.168.1.0 255.255.255.0

nat (inside) 0 access-list inside_nat0_outbound

static (inside,outside) XXX 192.168.1.7 netmask 255.255.255.255

static (inside,outside) XXX 192.168.1.5 netmask 255.255.255.255

static (inside,outside) XXX 192.168.1.4 netmask 255.255.255.255

static (inside,outside) XXX 192.168.1.3 netmask 255.255.255.255

static (inside,outside) XXX 192.168.1.2 netmask 255.255.255.255

static (inside,outside) XXX 192.168.1.6 netmask 255.255.255.255

static (inside,outside) HOST-A-PUBLIC-IP 192.168.1.9 netmask 255.255.255.255

static (inside,outside) HOST-A-PUBLIC-IP 192.168.1.10 netmask 255.255.255.255

access-group ACL_OUT in interface outside

route outside 0.0.0.0 0.0.0.0 XXXXX 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

group-policy Reg internal

group-policy Reg attributes

split-tunnel-policy tunnelspecified

split-tunnel-network-list value Reg_splitTunnelAcl

username User1 password xxx encrypted privilege 0

username User1 attributes

vpn-group-policy Reg

group-lock value Reg

http server enable

http 0.0.0.0 0.0.0.0 outside

no snmp-server location

no snmp-server contact

snmp-server community public

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-

clinchpoop Thu, 06/05/2008 - 11:56

-3des esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 10 set security-association lifetime seconds 86400

crypto dynamic-map dynmap 30 set transform-set ESP-3DES-SHA

crypto dynamic-map dynmap 50 set transform-set ESP-3DES-SHA

crypto dynamic-map dynmap 70 set transform-set ESP-3DES-SHA

crypto dynamic-map dynmap 90 set transform-set ESP-3DES-SHA

crypto dynamic-map dynmap 110 set transform-set ESP-3DES-SHA

crypto dynamic-map dynmap 130 set transform-set ESP-3DES-SHA

crypto dynamic-map dynmap 150 set transform-set ESP-3DES-SHA

crypto dynamic-map dynmap 170 set transform-set ESP-3DES-SHA

crypto dynamic-map dynmap 190 set transform-set ESP-3DES-SHA

crypto dynamic-map dynmap 210 set transform-set ESP-3DES-SHA

crypto map mymap 20 match address outside_cryptomap_20

crypto map mymap 20 set peer XXX

crypto map mymap 20 set transform-set ESP-AES-256-SHA

crypto map mymap 40 match address outside_cryptomap_40

crypto map mymap 40 set peer XXX

crypto map mymap 40 set transform-set ESP-AES-256-SHA

crypto map mymap 65535 ipsec-isakmp dynamic dynmap

crypto map mymap interface outside

isakmp identity address

isakmp enable outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption aes-256

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

isakmp policy 65535 authentication pre-share

isakmp policy 65535 encryption 3des

isakmp policy 65535 hash sha

isakmp policy 65535 group 2

isakmp policy 65535 lifetime 86400

isakmp nat-traversal 20

tunnel-group DefaultRAGroup general-attributes

authentication-server-group (outside) none

tunnel-group Reg type ipsec-ra

tunnel-group Reg general-attributes

address-pool vpnpool

default-group-policy Reg

tunnel-group Reg ipsec-attributes

pre-shared-key *

tunnel-group XXX type ipsec-l2l

tunnel-group XXX ipsec-attributes

pre-shared-key *

tunnel-group XXX type ipsec-l2l

tunnel-group XXX ipsec-attributes

pre-shared-key *

no tunnel-group-map enable peer-ip

tunnel-group-map default-group DefaultL2LGroup

telnet timeout 5

ssh XXX 255.255.255.255 outside

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 5

ssh version 1

console timeout 5

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect http

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

!

service-policy global_policy global

ntp server XXX source outside

Cryptochecksum:xxxca

husycisco Fri, 06/06/2008 - 17:44

Hi Colin,

You should immediately clean up this mess. Add the following in respective order

ip local pool vpn_pool 192.168.30.1-192.168.30.254 mask 255.255.255.0

tunnel-group Reg type ipsec-ra

tunnel-group Reg general-attributes

no address-pool vpnpool

address-pool vpn_pool

no ip local pool vpnpool 192.168.1.100-192.168.1.150 mask 255.255.255.0

no access-list Reg_splitTunnelAcl standard permit host HOST-A-PUBLIC-IP

no access-list Reg_splitTunnelAcl standard permit host HOST-B-PUBLIC-IP

no access-list inside_nat0_outbound extended permit ip any 192.168.1.0 255.255.255.0

access-list inside_nat0_outbound permit ip 192.168.1.0 255.255.255.0 192.168.30.0 255.255.255.0

Regards

Farrukh Haroon Fri, 06/06/2008 - 18:31

Why don't you add these hosts to the split-dns configuration? (IF clients are putting in the public hostname)

Else if they are using the IPs directly, this could cover it:

access-list Reg_splitTunnelAcl standard permit host HOST-A-PUBLIC-IP

access-list Reg_splitTunnelAcl standard permit host HOST-B-PUBLIC-IP

Regards

Farrukh

Actions

This Discussion