Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
356
Views
0
Helpful
1
Replies

Split-tunnel vpnclient 4.6 to PIX

aemr
Level 1
Level 1

‎09-25-2005 11:10 PM - edited ‎02-21-2020 12:25 AM

Hi,

I am trying to let the remote pc access the internet via w/o tunneling the traffic to the PIX and tunnel only traffic to the PIX destined for the LANs behind it.

I am confused on the use of the splt tunnel acl and if there is a need for client configuration address initiate command. With the current config, it looks like all traffic is being tunneled. I can access the LANs behind the pix but not the internet.

Below is the relevant config. The client local LAN segments are the 10.81.129.. 10.71.129.. and 10.81.160...

access-list split-tunnel permit ip any 10.0.0.0 255.0.0.0

access-list nonat permit ip 10.81.129.0 255.255.255.0 10.81.161.0 255.255.255.0

access-list nonat permit ip 10.71.129.0 255.255.255.0 10.81.161.0 255.255.255.0

access-list nonat permit ip 10.81.160.0 255.255.255.0 10.81.161.0 255.255.255.0

ip local pool pix-vpnclient-pool 10.81.161.10-10.81.161.254 mask 255.255.255.0

crypto ipsec transform-set 256sha2 esp-aes-256 esp-sha-hmac

crypto dynamic-map vpnclient 200 set transform-set 256sha2

crypto map sfhp 200 ipsec-isakmp dynamic vpnclient

crypto map sfhp interface outside

isakmp enable outside

isakmp identity address

isakmp keepalive 10

isakmp nat-traversal 20

isakmp policy 100 authentication pre-share

isakmp policy 100 encryption aes-256

isakmp policy 100 hash sha

isakmp policy 100 group 2

isakmp policy 100 lifetime 14400

vpngroup RA1-SFHG address-pool pix-vpnclient-pool

vpngroup RA1-SFHG dns-server 10.81.129.233 10.81.129.234

vpngroup RA1-SFHG wins-server 10.81.129.233

vpngroup RA1-SFHG split-tunnel split-tunnel

vpngroup RA1-SFHG pfs

vpngroup RA1-SFHG idle-time 7700

vpngroup RA1-SFHG password ********

nat (inside) 0 access-list nonat

nat (www) 0 access-list nonat

nat (voip) 0 access-list nonat

0 Helpful
1 Reply 1

shijogeorge
Level 1
Level 1

‎09-25-2005 11:37 PM

Hi,

Try reversing the source and destination of the split tunnel acl

"access-list split-tunnel permit ip 10.0.0.0 255.0.0.0 any"

or

"access-list split-tunnel permit ip 10.0.0.0 255.0.0.0 10.81.161.0 255.255.255.0"

HTH

Regards,

Shijo George.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card