Solved: Re: Cisco pix 501 split tunnelling

techsitc10 · ‎07-22-2007

Hi,

I have several clients accessing their office via vpn, I wish to grant them access to the internet at the same time through their home internet connection.

Is the easiest route to enable split tunnelling? I'm unsure what I need to add to the config file apart from;

split-tunnel-policy tunnelspecified

I presume that I need to define tunnelspecified as the internal network of the office?

Thanks for your help

Suzanne

srue · ‎07-25-2007

access-list splittunnel_acl permit ip localofficehosts 255.255.255.0 vpndhcppool 255.255.255.0

vpngroup group-name split-tunnel splittunnel_acl

your acl will be specific to your setup. as will the vpngroup groupname

View solution in original post

Jon Marshall · ‎07-22-2007

Hi Suzanne

Yes, you need to define the corporate network with an access-list to enable split tunnelling.

Attached is a link to configuring split tunnelling on ASA using either ASDM or the CLI.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080702999.shtml

HTH

Jon

techsitc10 · ‎07-23-2007

Hi Jon

Thanks for that prompt reply.

I should have said I'm using a PIX 501 running 6.3 and have PDM 3.0,

which means that the split-tunnel-policy tunnelall command fails and there are not the same options in the gui?

is it possible on the pix 501 ?

Thanks

Suzanne

zulqurnain · ‎07-23-2007

hi,

for your case here are the steps:

********************************

access-list 101 permit ip 192.168.1.0 255.255.255.0 10.1.1.0

255.255.255.0

access-list 120 permit ip 192.168.1.0 255.255.255.0 10.1.1.0

255.255.255.0

nat (inside) 0 access-list 101

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

isakmp identity address

isakmp nat-traversal 20

crypto ipsec transform-set vpnset esp-3des esp-md5-hmac

ip local pool ippool 10.1.1.11-10.1.1.21

vpngroup vpnclient address-pool ippool

vpngroup vpnclient idle-time 1800

vpngroup vpnclient dns-server 172.16.1.1

vpngroup vpnclient password cisco456

vpngroup vpnclient split-tunnel 120

crypto dynamic-map dynmap 10 set transform-set vpnset

crypto map remote_vpn 20 ipsec-isakmp dynamic dynmap

username cisco password cisco123

aaa-server LOCAL protocol local

crypto map remote_vpn client authentication LOCAL

crypto map remote_vpn client configuration address initiate

crypto map remote_vpn client configuration address respond

Regarding the VPN Client, just simply install it by following the

instruction on screen, click "new":

"connection entry" a name for your reference

"host" public ip of the pix 501

"name" vpnclient

"password" cisco456

To initiate a tunnel, double click the entry you just created.

HTH, please rate it

techsitc10 · ‎07-25-2007

Hi

Sorry its taken a couple of days to come back to you. I firstly tried just ticking the box in the pdm that allows split-tunneling. which allowed my vista pc's to access the vpn and the internet but not the xp ones!

By the way for anyone thinking about ticking that box in the pdm it then stops access to the pdm and you need to make any other changes by the command line.

Anyone know why this is ?

I've tried the solution posted here and while the dns gets resolved the user still cannot access the internet while on the vpn.

I'll include my config in case its been a typo.

Any more advice would be welcome.

thanks

Suzanne

srue · ‎07-25-2007

access-list splittunnel_acl permit ip localofficehosts 255.255.255.0 vpndhcppool 255.255.255.0

vpngroup group-name split-tunnel splittunnel_acl

your acl will be specific to your setup. as will the vpngroup groupname