Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

SPLIT TUNNELING pIX515 WIN2k

Hi ,

I am using PIX 515 and I have got some clients using win2k and ipsec over l2tp to connect to a internal network .Everything works fine .I want to implement Split tunneling Please can someone guide .

Thanks

Raj

My relevant config is as follows

access-list 90 permit ip 10.100.0.0 255.255.0.0 10.208.25.0 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool mypool 10.100.25.100-10.100.25.110

nat (inside) 0 access-list 90

access-group acl_out in interface outside

route outside 0.0.0.0 0.0.0.0 X.x.x.x

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

sysopt connection permit-ipsec

sysopt connection permit-l2tp

no sysopt route dnat

crypto ipsec transform-set basic esp-des esp-md5-hmac

crypto ipsec transform-set basic mode transport

crypto dynamic-map cisco 4 set transform-set basic

crypto map mymap 20 ipsec-isakmp dynamic cisco

crypto map mymap interface outside

isakmp enable outside

isakmp key ******** address 0.0.0.0 netmask 0.0.0.0

isakmp identity address

isakmp client configuration address-pool local mypool outside

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption des

isakmp policy 20 hash md5

isakmp policy 20 group 1

isakmp policy 20 lifetime 86400

vpngroup cisco idle-time 1800

vpdn group mydialin accept dialin l2tp

vpdn group mydialin ppp authentication pap

vpdn group mydialin client configuration address local cust

vpdn group mydialin client configuration dns x.x.x.x

vpdn group mydialin client configuration wins x.x.x.x

vpdn group mydialin client authentication local

vpdn group mydialin l2tp tunnel hello 300

vpdn username user1 password ********

vpdn username user2 password ********

vpdn enable outside

terminal width 150

3 REPLIES
Community Member

Re: SPLIT TUNNELING pIX515 WIN2k

should be:

vdpngroup mydialin split-tunnel 90

since you already have:

access-list 90 permit ip 10.100.0.0 255.255.0.0 10.208.25.0 255.255.255.0

&

ip local pool mypool 10.100.25.100-10.100.25.110

nat (inside) 0 access-list 90

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_user_guide_chapter09186a00800898ed.html

Community Member

Re: SPLIT TUNNELING pIX515 WIN2k

Hi ,

Thanks for your help .I did try but I cannot browse the internet still .The vpdngroup command does not have the split tunnel feature .The vpngroup command has .Still no luck .One thing to add maybe it helps is that I am using Windows 2k client and not cisco client and the pix is 515E .

Thanks

Raj .

Cisco Employee

Re: SPLIT TUNNELING pIX515 WIN2k

You can't do split tunnelling AFAIK with L2TP/IPSec. The IPsec setup simply says "encrypt all L2TP traffic", it doesn't know about the underlying traffic destination. And there's nothing in the L2TP protocol that allows for split tunnelling, since L2TP doesn't build security associations for specific traffic patterns, it's either all or nothing (similar to PPTP).

You may be able to fudge something on the client configuration, but I haven't seen anything that would allow it. You would have to set it up to only encapsulate certain traffic in L2TP, and then simply encrypt all L2TP traffic, but I doubt this can be done. There's certainly no command on the PIX that would do this for you.

159
Views
0
Helpful
3
Replies
CreatePlease to create content