Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

Split Tunneling Doesn't work!

Hello!

I have a PIX 515 with 6.1(1) on it.

When I load the newest client on my PC @ home, I cannot surf the web at the same time as being connected through the VPN. I have a cable modem.

I figured it had something to do with split tunneling.

vpngroup cottageworker address-pool clientpool

vpngroup cottageworker idle-time 28800

vpngroup cottageworker split-tunnel 105

here is what the access-list looks like:

access-list 105 permit tcp any any

access-list 105 permit icmp any any

access-list 105 permit udp any any

access-list 105 permit 80 any any

access-list 105 permit ip any any

SHOULDN'T IT WORK? I know that access-list is a little open but I wanted to at least get something going...

Notice also:

nat (inside) 0 access-list 105

I appreciate your help! What is wrong with what I have done? I still can't surf and VPN to my company.

5 REPLIES
Community Member

Re: Split Tunneling Doesn't work!

Your firewall is wide open with this config. The defined interersting traffic is too much. I assume you have the vpngroup cotageworker password xxxx statement setup on your config? I do not see anything wrong with the config other than there is too much interesting traffic and your firewall is not secure (of course, this is based on if you have the correct isakmp policy and crypto map; and the routing setup correctly).

Community Member

Re: Split Tunneling Doesn't work!

I agree. Right now everything is defined as interesting so the VPN client will encrypt all traffic. If you are more specific the client will be able to identify what NOT to encrypt.

Bronze

Re: Split Tunneling Doesn't work!

Hi, I put a config like this on a PIX 520 and it works good. Not as good as a 3005 does though....

access-list nonat permit ip 10.0.0.0 255.255.255.0 172.16.254.0 55.255.255.0

access-list split permit ip 10.0.0.0 255.255.255.0 172.16.254.0 255.255.255.0

!

nat (inside) 0 access-list nonat

!

ip local pool vpn_pool 172.16.254.5-172.16.254.100

!

sysopt connection permit-ipsec

sysopt ipsec pl-compatible

crypto ipsec transform-set config esp-des esp-md5-hmac

crypto dynamic-map dynmap 10 set transform-set config

crypto map vpnmap 10 ipsec-isakmp dynamic dynmap

crypto map vpnmap client configuration address initiate

crypto map vpnmap client configuration address respond

crypto map vpnmap interface outside

!

isakmp enable outside

isakmp key ******** address 0.0.0.0 netmask 0.0.0.0

isakmp identity address

isakmp client configuration address-pool local vpn_pool outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 1

isakmp policy 10 lifetime 7200

!

vpngroup config address-pool vpn_pool

vpngroup config dns-server 10.0.0.1

vpngroup config wins-server 10.0.0.2

vpngroup config default-domain domain.com

vpngroup config split-tunnel split

vpngroup config idle-time 86400

vpngroup config password ********

Hope this helps.

Bronze

Re: Split Tunneling Doesn't work!

Interesting traffic, in this case is the information that is shot to your vpn client from the split-tunnel config in the vpngroup. In your first post, your telling the client to encrypt ALL ip (TCP,UDP). Now when you try to surf the web, your web traffic gets encrypted and goes through the vpn tunnel to the PIX. Packets coming in one interface on a PIX, can not turn around and go out the same so your web traffic is dropped. Now, lets say your inside network is 192.168.1.0, and your vpn address pool is 172.16.1.0. You would setup your split-tunnel access to say, anything that is heading from 172.16.1.0, going to 192.168.1.0 encrypt that traffic and send it across the vpn tunnel. Now when you jump on the web and go to yahoo.com, your machine does a dns lookup and finds that the ip address of that web site is 10.10.10.10, the client looks at that ip and says, I am not going to encrypt that traffic because its not in the 192.168.1.0 subnet. It then sends that traffic out your machines default gateway unencrypted and not through the vpn tunnel.

Hope that helps….

Community Member

Re: Split Tunneling Doesn't work!

Ummm...I think I don't understand what you all mean by "interesting traffic". Are you saying that I am telling the PIX to look at basically everything? So how do I get it not to look at everything?

How do I still surf and have my VPN connection up? Sorry...I think I am still lost!

I appreciate all of your help!

203
Views
0
Helpful
5
Replies
CreatePlease to create content