A Step Beyond Split-Tunneling between VPN Client and PIX
I am using the VPN Client 3.6.4A to connect to a PIX running 6.2(2). I have split-tunneling enabled in my 'vpngroup' settings on the PIX to restrict access on the VPN client to only a small subnet of my internal network instead of allowing access to the entire internal network. But then by doing this, I am allowing the client to connect to other sites on the Internet at the same time as they are connected to my internal network (split-tunneling).
Is there a way in this senario to allow access to only a certain subnet of my internal network via the VPN client and not allow access to the Internet (split-tunneling) at the same time?
Re: A Step Beyond Split-Tunneling between VPN Client and PIX
Yeah, just define the traffic in your nat 0 ACL. The nat 0 ACL defines the traffic that won't be NAT'd on the return path, you'll probably just have "permit all IP from your internal network to your VPN pool of addresses". A good way to filter out what people can get to is to make this ACL more restrictive. If a user tries to go to something that isn't in the nat 0 ACL, they'll be able to send a packet to whatever host it is, but the return packet will be NAT'd and then not match the crypto ACL and the return packet will be dropped.
So, turn off split tunnelling and let's say you only want users to get to 10.1.1.1 and 10.1.1.2 on your internal network, you would do:
> access-list nonat permit ip host 10.1.1.1 192.168.1.0 255.255.255.0
> access-list nonat permit ip host 10.1.1.2 192.168.1.0 255.255.255.0
> nat (inside) 0 access-list nonat
where 192.168.1.0 is your VPN pool of IP addresses. Anything from say, 10.1.1.3 will be NAT'd on its way back to the VPN client, won't be encrypted and therefore dropped.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :