Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
230
Views
0
Helpful
1
Replies

Sample configuration for a PIX-to-PIX split-tunnel VPN

cwaltham
Level 1
Level 1

‎04-28-2006 07:11 AM - edited ‎02-21-2020 02:23 PM

I currently have two private networks connected together via a VPN tunnel with PIX 501s at both ends.

The remote site (I am at the central office) has a cable connection of their own, but at present they are routing all their data (including web traffic) over the VPN to my location, which then goes out to the internet via our T1.

Because I've already got a 'regular' VPN setup, I was wondering if someone here could please help me with a sample configuration to turn the existing VPN into a 'split-tunnel', whereby any of their traffic NOT destined for 172.16.0.0 goes out through their 66.33.x.x (cable modem) address?

Thanks :-)

Chris

Labels:
0 Helpful
1 Reply 1

jsteffensen
Level 1
Level 1

‎05-03-2006 11:57 PM

Hi Chris

You can solve this by ajusting the NAT confiuration and the crypto ACL you are using.

Use NAT 0 with a ACL to not do natting between your sites.

Use NAT 1 and Global 1 to NAT your Remote office traffic to go straight to the internet.

The crypto ACL sould in your case only permit IP Addresses on your Central office and the Remote office (as source and destination), and not "any" IP.

As a hint I would use different ACL -names or numbers for the NAT-ACL and Crypto-ACL, even though these two ACL's in your case probably would be equal. PDM has problems with "Double-usage" of ACL's....

Here is an example:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094761.shtml

Greetings

Jarle

0 Helpful
Customers Also Viewed These Support Documents