I have a strange issue with split-tunnel operation on a PIX firewall.
There is a VPN client connection configured, which works find. However split tunnel is configured which allows simultanious access to the internal network, and the internet. But by my reading of the configuration it shouldn't!! The split tunnel ACL matches any traffic, therfore only access to the internel network should be possible. What am I missing?
Here are sections of the config, the firewall is running PIX V7.0 software.
tunnel-group customer-Remote type ipsec-ra
tunnel-group customer-Remote general-attributes
authentication-server-group GG-VPN-Users LOCAL
group-policy customer-Remote internal
group-policy customer-Remote attributes
banner value Access to this device is strictly for customer employees only.
banner value This link is fully monitored and any unauthorized users will be prosecuted
banner value to the full extent of the law in the country in which the access was initiated.
dns-server value 172.30.2.3 188.8.131.52
split-tunnel-network-list value customer-Remote_splitTunnelAcl
default-domain value int.customer.com
access-list customer-Remote_splitTunnelAcl; 1 elements
access-list customer-Remote_splitTunnelAcl line 1 standard permit any
I have inherited this configuration, split-tunnelin is required, and is working with this configuration.
I just don't understand how it is working, from my understanding the split-tunnel ACL defines the traffic thet should go through the VPN. As it specifies "any" all traffic should go through, but it doesn't. If somone can explain why I would be greatfull.
The secured routes are as you suggest, and there are no local LAN routes.
There are nat rules
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
and the IP addresses in the pool are included in the ACL inside_nat0_outbound.
However I don't think the traffic is going through and then to the internet, if I run a tracert from my local PC to ftp.cisco.com, it takes the same route with the client running as without. The first hop my local ADSL router in both cases.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...