Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Split Tunnel with PIX 515 6.3(4)

Hi all. Has anyone successfully allowed inbound VPN connections access to the Internet using this version of PIX? I have a proxy server, but want to remove it from the network. Any thoughts?

Thanks

12 REPLIES
Green

Re: Split Tunnel with PIX 515 6.3(4)

You can set up split tunneling like so...

access-list split-tunnel

vpngroup split-tunnel split_tunnel

So if the tunnel group name is vpngroup, the networks you want to vpn to are 192.168.1.0 and 192.168.2.0, and the vpn client subnet is 192.168.50.0 then...

access-list split-tunnel 192.168.1.0 255.255.255.0 192.168.50.0 255.255.255.0

access-list split-tunnel 192.168.2.0 255.255.255.0 192.168.50.0 255.255.255.0

vpngroup vpngroup split-tunnel split_tunnel

Please rate helpful posts.

Community Member

Re: Split Tunnel with PIX 515 6.3(4)

Do you know if this works with my PIX version?

Green

Re: Split Tunnel with PIX 515 6.3(4)

Sure it does.

Community Member

Re: Split Tunnel with PIX 515 6.3(4)

My interntal subnets are 172.17.x.x and 172.16.x.x. My VPN clients get a range of 12.168.201.x.

I want to give the 192.168.201.x subnet access to the Internet while they are connected via VPN.

Sorry, I'm new to PIX.

Community Member

Re: Split Tunnel with PIX 515 6.3(4)

I think it is better to clarify here,as possible are 2 situations:

1) PC connects to PIX by VPN ,but all the Internet traffic bypasses VPN tunnel and goes

out directly from this PC to the INternet

2)PC connects to PIX and all traffic is tunneled through VPN tunnel only,including Internet access - i.e. PC accesses Internet through VPN tunnel then through the PIX then

only to INternet

OPtion 1 is available to any PIX and this is what split tunnel does,see post above.

OPtion 2 is possible only if your PIX has OS

version 7.x or higher.

So please clarify what you are trying to achieve

Community Member

Re: Split Tunnel with PIX 515 6.3(4)

If you provide any document on both options, it would be great.

Community Member

Re: Split Tunnel with PIX 515 6.3(4)

Yuri,

I want to setup option 2 can you point me to some documentation on this configuration or if you have an example config that would be great.

Community Member

Re: Split Tunnel with PIX 515 6.3(4)

Here is example from Cisco:

" PIX/ASA 7.x and VPN Client for Public Internet VPN on a Stick Configuration Example "

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00805734ae.shtml

Regards,

Yuri.

Community Member

Re: Split Tunnel with PIX 515 6.3(4)

I used this but it doesn't work?

access-list 90 permit ip 172.17.0.0 255.255.0.0 192.168.200.0 255.255.255.0

vpngroup bfpvpn split-tunnel 90

Do I have to apply access-list 90 to the inbound interface? I currently have the following:

access-group 30 in interface outside

access-group 200 in interface inside

access-group 101 in interface dmz1

Green

Re: Split Tunnel with PIX 515 6.3(4)

"My VPN clients get a range of 12.168.201.x.

I want to give the 192.168.201.x subnet access to the Internet while they are connected via VPN."

-So is the vpn pool 12.168.201.x or 192.168.201.x? If it's 12.168.201.x like you said above then...

access-list 90 permit ip 172.17.0.0 255.255.0.0 12.168.201.0 255.255.255.0

vpngroup bfpvpn split-tunnel 90

Community Member

Re: Split Tunnel with PIX 515 6.3(4)

You can do it easily through PDM i.e.pix gui. The only thing is to look up each and every option and u must careful to check the split tunnel check box before apply in the process.

Community Member

Re: Split Tunnel with PIX 515 6.3(4)

I just wanted to point out that my clients are using PPTP not IPSEC. How can I make this happen using PPTP?

770
Views
0
Helpful
12
Replies
CreatePlease to create content