Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

A Step Beyond Split-Tunneling between VPN Client and PIX

I am using the VPN Client 3.6.4A to connect to a PIX running 6.2(2). I have split-tunneling enabled in my 'vpngroup' settings on the PIX to restrict access on the VPN client to only a small subnet of my internal network instead of allowing access to the entire internal network. But then by doing this, I am allowing the client to connect to other sites on the Internet at the same time as they are connected to my internal network (split-tunneling).

Is there a way in this senario to allow access to only a certain subnet of my internal network via the VPN client and not allow access to the Internet (split-tunneling) at the same time?

Thanks,

Jeff

2 REPLIES
Cisco Employee

Re: A Step Beyond Split-Tunneling between VPN Client and PIX

Yeah, just define the traffic in your nat 0 ACL. The nat 0 ACL defines the traffic that won't be NAT'd on the return path, you'll probably just have "permit all IP from your internal network to your VPN pool of addresses". A good way to filter out what people can get to is to make this ACL more restrictive. If a user tries to go to something that isn't in the nat 0 ACL, they'll be able to send a packet to whatever host it is, but the return packet will be NAT'd and then not match the crypto ACL and the return packet will be dropped.

So, turn off split tunnelling and let's say you only want users to get to 10.1.1.1 and 10.1.1.2 on your internal network, you would do:

> access-list nonat permit ip host 10.1.1.1 192.168.1.0 255.255.255.0

> access-list nonat permit ip host 10.1.1.2 192.168.1.0 255.255.255.0

> nat (inside) 0 access-list nonat

where 192.168.1.0 is your VPN pool of IP addresses. Anything from say, 10.1.1.3 will be NAT'd on its way back to the VPN client, won't be encrypted and therefore dropped.

New Member

Re: A Step Beyond Split-Tunneling between VPN Client and PIX

Excellent! That will work!

Thanks for the response.

97
Views
0
Helpful
2
Replies
CreatePlease login to create content