Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

yeo
New Member

Split-Tunneling, can it be used to permit traffic to 2+ interfaces???

I have a PIX 515 with 4 interfaces and I have to allow access to SQL servers on one interface and web servers on another interface to my devolpers from yet a third interface, the outside. Is there a way to use split tunneling to allow this or some other way? The way I see it I have to create 2 vpn's and they have to switch back and forth between the vpn's to switch to the different interfaces. Just want to know which way I can go?

Thanks ahead of time.

4 REPLIES
Bronze

Re: Split-Tunneling, can it be used to permit traffic to 2+ inte

Hi,

What I understand is that you will need to configure nat (inside) 0 and nat (dmz) 0, commands on your pix so that developers can access it from the other side of the tunnel.

Assuming that you have one server on inside, and the others in DMZ.

Thx

Afaq

yeo
New Member

Re: Split-Tunneling, can it be used to permit traffic to 2+ inte

Hello,

I have made the adjustment you suggested along with adding a new access-list. I noted this in the config below. I am unsure if I have a complete setup. I inherited the setup from a contractor and am trying to augment the system to accomidate my developers. The system works great letting my remote staff connect in to the inside but now I need to get access to the 2 interfaces. I figured if I could get the current setup to work I would revert it back to the old setup and create a new vpn for my developers that allowed them access to both inside and dmz. Here is what I have so far. Let me know if you see anything glaring that I have ommited.

access-list 110 permit ip 65.167.124.128 255.255.255.128 192.168.110.0 255.255.255.0

access-list 100 permit ip 65.167.124.128 255.255.255.128 192.168.110.0 255.255.255.0

access-list 120 permit ip 65.167.124.64 255.255.255.224 192.168.110.0 255.255.255.0 (Added after last post)

nat (inside) 0 access-list 100

nat (dmz) 0 access-list 120 (added after last post)

sysopt connection permit-ipsec

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto dynamic-map dynmap 10 set transform-set myset

crypto map mymap 10 ipsec-isakmp dynamic dynmap

crypto map mymap interface outside

isakmp enable outside

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup vpn3000 address-pool vpnpool

vpngroup vpn3000 dns-server adc001

vpngroup vpn3000 default-domain yeo.org

vpngroup vpn3000 split-tunnel 110

vpngroup vpn3000 idle-time 1800

vpngroup vpn3000 password **********

Cisco Employee

Re: Split-Tunneling, can it be used to permit traffic to 2+ inte

Close, you just have to add the DMZ network to the split-tunnel list so that the client will encrypt traffic for that network. Add:

access-list 110 permit ip 65.167.124.64 255.255.255.224 192.168.110.0 255.255.255.0

and you should be up and running.

Note that you don't have to do split tunneling for this to work. You could remove ACL 110 altogether along with the "vpngroup vpn3000 split-tunnel 110" line, all traffic will then be tunnelled which is less of a security risk and your clients would still have access to the inside and dmz subnets by virtue of the "nat 0" commands.

yeo
New Member

Re: Split-Tunneling, can it be used to permit traffic to 2+ inte

Perfect. Works like a charm. Thanks for the help.

121
Views
0
Helpful
4
Replies