Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
217
Views
5
Helpful
2
Replies

Meaning of The Config

mrashby
Level 1
Level 1

‎05-15-2006 11:59 AM - edited ‎03-09-2019 02:55 PM

All,

I referred to config I downloaded to setup my pix. I have a question about some of the commands. For instance what does vpngroup groupmarketing "split-tunnel 102"- Now I know what the group command is referring to but I don't know what split-tunnel 102 means. Also what is a "crypto map"?

Labels:
0 Helpful
2 Replies 2

scottmac
Level 10
Level 10

‎05-15-2006 04:00 PM

Split tunnel permits (or not, per the config) a user to access resources through the VPN, and outside the VPN concurrently (i.e., access the Internet while the VPN to Corp is active).

Many places consider it a security risk and do not permit split tunnelling.

The Crypto map is the group of statements that combine all of the other config parameters into a final map.

Good Luck

Scott

a.kiprawih
Level 7
Level 7

‎05-15-2006 07:29 PM

Hi,

The 'split-tunnel 102' command enables the split tunneling with access-list number 102.

The access-list 102 defines which traffic flows through the tunnel, others will be sent to gateway for normal internet access.

The 'crypto-map' command is used to define/bind remote-peer IP, transform set, interesting access-list, which need to be applied on outbound interface, normally on the PIX outside interface, where the outbound VPN traffic is sent out to remote peer.

Example:

1. Define interesting traffic (to go through vpn tunnel) using access list. This access list only allows traffic from network 192.168.12.0 to reach 10.0.0.0 via vpn.

access-list 102 permit ip 192.168.12.0 255.255.255.0 10.0.0.0 255.0.0.0

2. Define a crypto map:

crypto map to-Site1 10 ipsec-isakmp

crypto map to-Site1 10 match address 102

crypto map to-Site1 10 set transform-set strong

crypto map to-Site1 10 set peer x.x.x.1

3. Apply the crypto map to the outside interface:

crypto map toSanJose interface outside

PIX Command Ref:

-> http://www.cisco.com/en/US/partner/products/sw/secursw/ps2120/products_command_reference_chapter09186a00801727a6.html#wp1034654

-> http://www.cisco.com/en/US/partner/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a0080172795.html

Rgds,

AK

0 Helpful
Customers Also Viewed These Support Documents