PIX 515E and split tunnelling

mawallace · ‎01-09-2006

I have a network setup as follows:-

Internal 220.0.0.1

VPN users pool 172.20.0.0

We can connect via VPN and see internal network.

I want to enable split-tunnelling.

I have the following IPSec Rule setup:-

Protect

Tunneling Policy ODynamic20

Firewall Side

Interface Inside 0.0.0.0

Remote Side

Interface Outside

IP Address 172.20.0.0

Mask 255.255.255.254

Protcoal

IP

If I click on split tunnelling and use this policy I can access the internet (from the client ) but not the internal network 220.0.0.1!

If I remove the policy I can access the internal network and not access the internet!

Do I need to define a new policy or enter the network detials in the manage split tunnell screen?

Can any answers tell me refer me to the web interface as I find this easier to use then using commands!

sachinraja · ‎01-10-2006

Hello Wallace,

Really sorry. I will have to give it on the CLI. I havent much worked with the PDM.

Its actually straight forward. You just need to create an access-list on the PIX, specifying the source and destination networks and apply this onto the vpn-group command on the PIX.

example:

local network on the PIX - 10.1.1.0/24

remote network (in ur case) 172.20.0.0

Just create an ACL:

access-list 50 permit ip 10.1.1.0 255.255.255.0 172.20.0.0 255.255.255.0

vpngroup abcxyz split-tunnel 50

This will allow only traffic between the local networks through the IPSEC tunnel. Other traffic (internet) will be flowing through the LAN card.

Hope this helps. rate replies if found useful.

Raj