Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Cisco PIX 506E - Split Tunnel Command

Morning All I was wondering if somebody could help me with the split-tunnel command. I am trying to allow my VPN users internet access from their own PC's while connected to VPN. I have added the split-tunnel command in the VPN config but not sure what to added in the access list. Any help would be much appreciated, here is my config:

nameif ethernet0 outside security0

nameif ethernet1 inside security100

interface ethernet0 100full

interface ethernet1 100full

ip address outside

ip address inside

route outside 1

nat (inside) 1 0 0

global (outside) 1 interface

static (inside,outside) tcp 21685 21685

static (inside,outside) tcp ftp ftp

static (inside,outside) tcp http http

static (inside,outside) tcp https https

access-list 101 permit tcp any host eq ftp

access-list 101 permit tcp any host eq http

access-list 101 permit tcp any host eq https

access-list 101 permit icmp any host echo-reply

access-list 101 permit icmp any host time-exceeded

access-list 101 permit icmp any host unreachable

access-group 101 in interface outside

no fixup protocol ftp 21

no fixup protocol dns

!--- Enable logging

logging on

logging trap 4

logging host

telnet inside

telnet inside

http server enable

http inside

pdm history enable

!--- SSH for use with Putty

aaa authentication ssh console LOCAL

ssh inside

ssh timeout 5

!--- Firewall details and passwords

hostname FIREWALL

domain-name C2.local

en pass *************

pass *************

ip local pool VPN_Pool

access-list 101 permit ip

nat (inside) 0 access-list 101

!--- For Cisco VPN Client

sysopt connection permit-ipsec

crypto ipsec transform-set VPN_Trans esp-aes-256 esp-md5-hmac

crypto dynamic-map VPN_Dyn 10 set transform-set VPN_Trans

crypto map VPN_Crypto 10 ipsec-isakmp dynamic VPN_Dyn

crypto map VPN_Crypto interface outside

isakmp enable outside

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption aes-256

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup C2_VPNGROUP address-pool VPN_Pool

vpngroup C2_VPNGROUP wins-server

vpngroup C2_VPNGROUP dns-server

vpngroup C2_VPNGROUP default-domain c2.local

vpngroup C2_VPNGROUP split-tunnel 101

vpngroup C2_VPNGROUP idle-time 1800

vpngroup C2_VPNGROUP password *************

isakmp nat-traversal 20

New Member

Re: Cisco PIX 506E - Split Tunnel Command

Fixed my own problem, moved the split-tunnel to its own access list and all worked fine.

access-list 102 permit ip

nat (inside) 0 access-list 102





vpngroup C2_VPNGROUP split-tunnel 102

作成コンテンツを作成するには してください