Split tunnel with ASA 5510 and PIX506.

Answered Question
Jun 29th, 2010
User Badges:

   Hello,



I have production VPN tunnel between Asa 5510 (main office) and Pix 506. It's configured so all of the traffic is encrypted and travels thru the tunnel. That includes Internet traffic from remote users behind Pix. I'd like to to use split tunnel and direct Internet traffic to hit web directly from Pix instead of going thru the tunnel. How can I achieve this in a secure manner? Please see Pix current config below :


  :
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 10baset
nameif ethernet0 outside security0
nameif ethernet1 inside security100

clock timezone EDT -5
clock summer-time EDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00
no fixup protocol dns
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
no fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
no fixup protocol tftp 69
names
access-list VPN permit ip 192.x.x.x 255.255.255.0 any
access-list LocalNet permit ip any any
pager lines 20
logging on
logging monitor debugging
logging buffered warnings
logging trap warnings
mtu outside 1500
mtu inside 1500
ip address outside 24.x.x.x 255.255.255.0
ip address inside192.x.x.x 255.255.255.0
ip audit name Outside_Attack attack action alarm drop reset
ip audit name Outside_Recon info action alarm drop reset
ip audit interface outside Outside_Recon
ip audit interface outside Outside_Attack
ip audit info action alarm
ip audit attack action alarm drop reset
ip audit signature 2000 disable
ip audit signature 2001 disable
ip audit signature 2004 disable
ip audit signature 2005 disable
ip audit signature 2150 disable
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list LocalNet
route outside 0.0.0.0 0.0.0.0 24.x.x.x
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set AMC esp-3des esp-md5-hmac
crypto map UrgentCare 10 ipsec-isakmp
crypto map UrgentCare 10 match address VPN
crypto map UrgentCare 10 set peer x.x.x.x
crypto map UrgentCare 10 set transform-set AMC
crypto map UrgentCare interface outside
isakmp enable outside
isakmp key ******** address x.x.x.x netmask 255.255.255.255
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
ssh timeout 15
console timeout 0
terminal width 80
Cryptochecksum:9701c306b05151471c437f29695ffdbd
: end

Correct Answer by John Blakley about 7 years 3 weeks ago

I would do something by changing the acl that's applied to your crypto map. You'd want to figure out what networks you want to support over the tunnel and then deny the others.


If you have:

192.168.3.0/24

192.168.4.0/24

10.10.10.0/24

172.16.0.0/16


Do something like:


access-list VPN permit ip 192.x.x.x 255.255.255.0 192.168.3.0 255.255.255.0

access-list VPN permit ip 192.x.x.x 255.255.255.0 192.168.4.0  255.255.255.0

access-list VPN permit ip 192.x.x.x 255.255.255.0 10.10.10.0  255.255.255.0

access-list VPN permit ip 192.x.x.x 255.255.255.0 172.16.0.0  255.255.0.0


Then when traffic is destined to something other than these networks, it'll go out unencrypted to the ISP instead of the tunnel.


HTH,

John

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
John Blakley Tue, 06/29/2010 - 12:49
User Badges:
  • Purple, 4500 points or more

I would do something by changing the acl that's applied to your crypto map. You'd want to figure out what networks you want to support over the tunnel and then deny the others.


If you have:

192.168.3.0/24

192.168.4.0/24

10.10.10.0/24

172.16.0.0/16


Do something like:


access-list VPN permit ip 192.x.x.x 255.255.255.0 192.168.3.0 255.255.255.0

access-list VPN permit ip 192.x.x.x 255.255.255.0 192.168.4.0  255.255.255.0

access-list VPN permit ip 192.x.x.x 255.255.255.0 10.10.10.0  255.255.255.0

access-list VPN permit ip 192.x.x.x 255.255.255.0 172.16.0.0  255.255.0.0


Then when traffic is destined to something other than these networks, it'll go out unencrypted to the ISP instead of the tunnel.


HTH,

John

Actions

This Discussion