VPN - Split Tunnel

Answered Question
Sep 2nd, 2003

--begin ciscomoderator note-- The following post has been edited to remove potentially confidential information. Please refrain from posting confidential information on the site to reduce security risks to your network. -- end ciscomoderator note --

Hi,

Can anyone please help me as my VPN access works fine without Split Tunnel. But when I put the Split Tunnel it stops working.. here is the configuration.. my PIX is behind a Checkpoint F/W and NAT is working on CheckPoint so thats why I donot wana configure NAT on PIX.. I would really applicate you help.. thanks in advance :-)

PIX Version 6.1(4)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 intf2 security10

nameif ethernet3 intf3 security15

nameif ethernet4 intf4 security20

nameif ethernet5 intf5 security25

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

access-list 101 permit ip any any

access-list 120 permit tcp 10.200.125.0 255.255.255.0 host 10.200.124.1 eq www

access-list 120 permit tcp 10.200.119.0 255.255.255.0 host 10.200.124.1 eq www

access-list 152 permit ip 10.200.124.0 255.255.255.0 10.200.125.0 255.255.255.0

access-list 152 permit ip 10.200.125.0 255.255.255.0 10.200.124.0 255.255.255.0

pager lines 24

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto shutdown

interface ethernet3 auto shutdown

interface ethernet4 auto shutdown

interface ethernet5 auto shutdown

mtu outside 1500

mtu inside 1500

mtu intf2 1500

mtu intf3 1500

mtu intf4 1500

mtu intf5 1500

ip address outside 10.200.123.253 255.255.255.0

ip address inside 10.200.124.254 255.255.255.0

ip address intf2 127.0.0.1 255.255.255.255

ip address intf3 127.0.0.1 255.255.255.255

ip address intf4 127.0.0.1 255.255.255.255

ip address intf5 127.0.0.1 255.255.255.255

ip audit info action alarm

ip audit attack action alarm

ip local pool ippool 10.200.125.1-10.200.125.254

pdm history enable

arp timeout 14400

nat (inside) 0 access-list 101

access-group 120 in interface outside

route outside 0.0.0.0 0.0.0.0 10.200.123.254 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si

p 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server AuthInbound protocol radius

aaa-server AuthInbound (inside) host 10.200.124.1 xxxxxxxxxxxxx timeout 10

floodguard enable

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set myset esp-3des esp-md5-hmac

crypto dynamic-map dynmap 10 set transform-set myset

crypto map mymap 10 ipsec-isakmp dynamic dynmap

crypto map mymap client configuration address initiate

crypto map mymap client configuration address respond

crypto map mymap client authentication AuthInbound

crypto map mymap interface outside

isakmp enable outside

isakmp identity address

isakmp client configuration address-pool local ippool outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup test address-pool ippool

vpngroup test split-tunnel 152

vpngroup test idle-time 1800

vpngroup test password xxxxxxxxxxxxxxxxxxxx

vpngroup group idle-time 1800

telnet timeout 5

ssh timeout 5

terminal width 80

Cryptochecksum:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

I have this problem too.
0 votes
Correct Answer by chris.evans@exp... about 12 years 1 day ago

for this ACL

access-list 152 permit ip 10.200.124.0 255.255.255.0 10.200.125.0 255.255.255.0

access-list 152 permit ip 10.200.125.0 255.255.255.0 10.200.124.0 255.255.255.0

change it to

access-list 152 permit ip 10.200.124.0 255.255.254.0 any

the split-tunnel command uses the "source" portion of the ACL to know what networks are internal to the pix.. then everything else, the client will know to split tunnel..

Chris

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Correct Answer
chris.evans@exp... Fri, 09/05/2003 - 19:30

for this ACL

access-list 152 permit ip 10.200.124.0 255.255.255.0 10.200.125.0 255.255.255.0

access-list 152 permit ip 10.200.125.0 255.255.255.0 10.200.124.0 255.255.255.0

change it to

access-list 152 permit ip 10.200.124.0 255.255.254.0 any

the split-tunnel command uses the "source" portion of the ACL to know what networks are internal to the pix.. then everything else, the client will know to split tunnel..

Chris

Actions

This Discussion