Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

Nat 0 and split tunneling

I need to determine the capabilities of the split tunneling mechanism to restrict a VPN group to a single internal IP address.

Assume the following config for this example:

internal ip 192.168.1.1 255.255.255.0

Ip local pool VPNCLT 192.168.100.1-192.168.100.15

Access-list VPN-NAT-0 permit ip 192.168.1.0 255.255.255.0 192.168.100.0 255.255.255.240

Nat (inside) 0 access-list VPN-NAT-0

vpngroup XXX address-pool VPNCLT

vpngroup XXX split-tunnel VPN-NAT-0

This config assigns the 192.168.100.x address to the remote clients and filters traffic for the tunnel using the NAT 0 access list. Yet the same access list filters the traffic at the other end of the tunnel, separating traffic for the internal network from all other traffic.

What then would be the form of the access list to confine traffic from the remote client to a single internal IP?

Possible solution based on general example above(assuming 192.168.1.100 is internal host)

Access-list SPLTTUN 192.168.1.100 255.255.255.255 192.168.100.0 255.255.255.240

vpngroup XXX split-tunnel SPLTYTUN

Doesn't violate access list sense of source IP - destination IP?

1 REPLY
Gold

Re: Nat 0 and split tunneling

depends on the software version, for 6.x

disable the commmand below

(no) sysopt connection permit-ipsec

sysopt connection permit-ipsec:

To let IPSec packets bypass interface access lists, use the sysopt connection permit-ipsec command in global configuration mode. Group policy and per-user authorization access lists still apply to the traffic.

with this command disabled, you will need to configure inbound acl in order to permit vpn traffic.

e.g

access-list 110 permit ip 192.168.1.0 255.255.255.0 192.168.100.0 255.255.255.0

access-list 120 permit ip 192.168.1.0 255.255.255.0 192.168.100.0 255.255.255.0

access-list 130 permit tcp 192.168.100.0 255.255.255.0 host 192.168.1.10 eq domain

access-list 130 permit tcp 192.168.100.0 255.255.255.0 host 192.168.1.11 eq domain

access-list 130 permit tcp 192.168.100.0 255.255.255.0 host 192.168.1.13 eq citrix-ica

access-list 130 permit tcp 192.168.100.0 255.255.255.0 host 192.168.1.13 eq www

ip local pool ippool2 192.168.100.11-192.168.100.101

nat (inside) 0 access-list 110

access-group 130 in interface outside

vpngroup vpnclient address-pool ippool2

vpngroup vpnclient dns-server 192.168.1.10 192.168.1.11

vpngroup vpnclient split-tunnel 120

vpngroup vpnclient idle-time 1800

vpngroup vpnclient password ********

don't forget other vpn traffic such as lan-lan vpn, it needs to be permitted by the inbound acl as well

for v7

a new command "vpn-filter" can be used instead

http://www.cisco.com/en/US/customer/products/ps6120/products_configuration_guide_chapter09186a0080452488.html

183
Views
2
Helpful
1
Replies
CreatePlease to create content