Cisco VPN Split tunnel

Discussion in 'Cisco' started by patelbg, Jun 6, 2005.

  1. patelbg

    patelbg Guest

    Hi All


    I new to Cisco firewalls and require some help setting up Cisco VPN
    Split Tunnels. I've pasted my Config with this message. I think the
    config sgould enable me to provide Spilt Tunnel VPN


    Best Regards


    Bhavesh


    PIX Version 6.3(3)
    interface ethernet0 auto
    interface ethernet1 auto
    interface ethernet2 auto
    interface ethernet3 auto shutdown
    interface ethernet4 auto shutdown
    interface ethernet5 auto
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    nameif ethernet2 DMZ security10
    nameif ethernet3 intf3 security6
    nameif ethernet4 intf4 security8
    nameif ethernet5 ABLlocal security99
    enable password encrypted
    passwd encrypted
    hostname IGW-GB-LO-ITI-FW1
    domain-name ciscopix.com
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    name 199.100.1.63 BhaveshsPC
    name 199.100.1.62 VahidsPC
    name Vahid-Home
    name 199.100.1.30 AVSrv
    name 199.100.1.34 ITI00-EXC01
    name 199.100.1.32 ITI00-EFE01
    name 192.168.154.2 OWAInside
    name 192.168.154.30 MailSweeper
    name 192.168.154.25 OWAServer
    name 199.100.1.21 ITI_AS_400
    name 199.100.1.50 Track-IT
    name 10.75.5.0 ArabellaVL5
    name 10.75.27.0 ArabellaVL27
    name 10.75.7.0 ArabellaVL7
    name 10.75.25.0 ArabellaVL25
    name 0.0.0.0 ABLlocal
    name 199.100.1.0 ITI
    name 10.75.100.0 Arabellalocal
    name 84.9.60.140 Vahid-PC
    name 199.100.1.61 MOFO2
    name 199.100.1.174 server1
    object-group network StaticIPs
    network-object VahidsPC 255.255.255.255
    network-object BhaveshsPC 255.255.255.255
    access-list acl_in permit tcp host ITI00-EFE01 host MailSweeper eq smtp



    access-list acl_in permit tcp host BhaveshsPC interface outside eq 3389



    access-list acl_in permit udp any any eq domain
    access-list acl_in permit tcp any any eq www
    access-list acl_in permit tcp any any eq https
    access-list acl_in permit tcp host AVSrv any eq ftp
    access-list acl_in permit tcp host ITI00-EXC01 any eq ftp
    access-list acl_in permit tcp any any eq ftp
    access-list acl_in permit tcp any any eq 3101
    access-list acl_in permit tcp any any eq 3389
    access-list acl_in permit tcp any any eq pcanywhere-data
    access-list acl_in permit tcp any any eq 5632
    access-list acl_in permit icmp host BhaveshsPC any
    access-list acl_in permit icmp host VahidsPC any
    access-list acl_in permit tcp any any eq 8080
    access-list acl_in permit tcp any any eq 1433
    access-list acl_in permit tcp any any eq 3666
    access-list acl_in permit ip host server1 10.100.100.0 255.255.255.0
    access-list acl_in deny ip any any
    access-list acl_out permit tcp any host 213.86.97.44 eq https
    access-list acl_out permit tcp any host 213.86.97.45 eq smtp
    access-list acl_out permit ip 10.100.100.0 255.255.255.0 any
    access-list acl_out permit icmp any any echo-reply
    access-list acl_out permit icmp any any time-exceeded
    access-list acl_out permit icmp any any unreachable
    access-list acl_out permit icmp any any parameter-problem
    access-list acl_out deny ip any any
    access-list acl_dmz permit tcp host MailSweeper any eq smtp
    access-list acl_dmz permit tcp host OWAInside any eq https
    access-list acl_dmz permit tcp host OWAServer any eq https
    access-list acl_dmz permit tcp host MailSweeper host ITI00-EFE01 eq
    smtp
    access-list acl_dmz permit tcp host OWAInside host ITI00-EXC01 eq www
    access-list acl_dmz permit udp host OWAServer any eq domain
    access-list acl_dmz permit udp host OWAInside any eq domain
    access-list acl_dmz permit tcp host MailSweeper any eq ftp
    access-list acl_dmz permit tcp host MailSweeper any eq https
    access-list acl_dmz permit udp host MailSweeper any eq domain
    access-list acl_dmz permit udp any any eq domain
    access-list acl_dmz permit tcp host OWAServer any eq www
    access-list acl_dmz permit tcp host MailSweeper any eq www
    access-list acl_dmz permit tcp host OWAInside any eq www
    access-list acl_dmz deny ip any any
    access-list 102 permit ip any 10.100.100.0 255.255.255.0
    access-list 102 permit ip ITI 255.255.255.0 192.168.220.0
    255.255.255.224
    access-list ABLlocal_access_in permit tcp any any eq www
    access-list ABLlocal_access_in permit tcp any any eq https
    access-list ABLlocal_access_in permit udp any any
    access-list ABLlocal_access_in permit tcp any any eq 8080
    access-list ABLlocal_access_in permit tcp any any eq ftp
    access-list ABLlocal_access_in permit tcp any any eq ftp-data
    access-list ABLlocal_access_in permit icmp any any echo-reply
    access-list ABLlocal_access_in permit icmp any any traceroute
    access-list ABLlocal_access_in deny ip any any
    access-list ITIVPN_splitTunnelAcl permit ip ITI 255.255.255.0 any
    access-list ITIVPN_splitTunnelAcl permit ip 10.100.100.0 255.255.255.0
    any
    pager lines 24
    logging on
    logging timestamp
    logging buffered warnings
    logging trap critical
    logging host inside BhaveshsPC
    mtu outside 1500
    mtu inside 1500
    mtu DMZ 1500
    mtu intf3 1500
    mtu intf4 1500
    mtu ABLlocal 1500
    ip address outside 213.86.97.41 255.255.255.248
    ip address inside 199.100.1.252 255.255.255.0
    ip address DMZ 192.168.154.254 255.255.255.0
    no ip address intf3
    no ip address intf4
    ip address ABLlocal 10.75.100.252 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool vpnpool1 10.100.100.1-10.100.100.254
    failover
    failover timeout 0:00:00
    failover poll 15
    failover ip address outside
    failover ip address inside 199.100.1.253
    failover ip address DMZ 192.168.154.253
    no failover ip address intf3
    no failover ip address intf4
    no failover ip address ABLlocal
    pdm location ITI00-EFE01 255.255.255.255 inside
    pdm location ITI00-EXC01 255.255.255.255 inside
    pdm location BhaveshsPC 255.255.255.255 inside
    pdm location OWAInside 255.255.255.255 DMZ
    pdm location OWAServer 255.255.255.255 DMZ
    pdm location MailSweeper 255.255.255.255 DMZ
    pdm location VahidsPC 255.255.255.255 inside
    pdm location Vahid-Home 255.255.255.255 outside
    pdm location AVSrv 255.255.255.255 inside
    pdm location 10.100.100.0 255.255.255.0 outside
    pdm location ITI_AS_400 255.255.255.255 inside
    pdm location Track-IT 255.255.255.255 inside
    pdm location OWAInside 255.255.255.255 outside
    pdm location MailSweeper 255.255.255.255 outside
    pdm location ArabellaVL5 255.255.255.0 inside
    pdm location ArabellaVL7 255.255.255.0 inside
    pdm location ArabellaVL25 255.255.255.0 inside
    pdm location ArabellaVL27 255.255.255.0 inside
    pdm location Vahid-PC 255.255.255.255 outside
    pdm location MOFO2 255.255.255.255 inside
    pdm location server1 255.255.255.255 inside
    pdm group StaticIPs inside
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list 102
    nat (inside) 1 ABLlocal 0.0.0.0 0 0
    nat (DMZ) 1 ABLlocal 0.0.0.0 0 0
    nat (ABLlocal) 1 ABLlocal 0.0.0.0 0 0
    static (DMZ,outside) OWAServer netmask 255.255.255.255 0 0
    static (DMZ,outside) MailSweeper netmask 255.255.255.255 0 0
    static (inside,DMZ) ITI00-EFE01 ITI00-EFE01 netmask 255.255.255.255 0 0



    static (inside,DMZ) AVSrv AVSrv netmask 255.255.255.255 0 0
    static (inside,DMZ) BhaveshsPC BhaveshsPC netmask 255.255.255.255 0 0
    static (inside,DMZ) ITI00-EXC01 ITI00-EXC01 netmask 255.255.255.255 0 0



    static (inside,DMZ) ITI_AS_400 ITI_AS_400 netmask 255.255.255.255 0 0
    static (inside,outside) ITI_AS_400 ITI_AS_400 netmask 255.255.255.255 0

    0
    access-group acl_out in interface outside
    access-group acl_in in interface inside
    access-group acl_dmz in interface DMZ
    access-group ABLlocal_access_in in interface ABLlocal
    route outside ABLlocal ABLlocal 213.86.97.46 1
    route inside ArabellaVL5 255.255.255.0 199.100.1.240 1
    route inside ArabellaVL7 255.255.255.0 199.100.1.240 1
    route inside ArabellaVL25 255.255.255.0 199.100.1.240 1
    route inside ArabellaVL27 255.255.255.0 199.100.1.240 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    http server enable
    http BhaveshsPC 255.255.255.255 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community china3com
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    crypto ipsec transform-set ABITI esp-aes-256 esp-sha-hmac
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto dynamic-map AB2 10 set transform-set ABITI
    crypto map AB1 10 ipsec-isakmp dynamic AB2
    crypto map AB1 interface outside
    isakmp enable outside
    isakmp identity address
    isakmp nat-traversal 20
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption aes-256
    isakmp policy 10 hash sha
    isakmp policy 10 group 2
    isakmp policy 10 lifetime 86400
    vpngroup ITIVPN address-pool vpnpool1
    vpngroup ITIVPN dns-server 199.100.1.31 199.100.1.33
    vpngroup ITIVPN default-domain iti.arabbank.plc
    vpngroup ITIVPN split-tunnel ITIVPN_splitTunnelAcl
    vpngroup ITIVPN split-dns iti.arabbank.plc arabbank.plc
    vpngroup ITIVPN idle-time 1800
    vpngroup ITIVPN password ********
    telnet BhaveshsPC 255.255.255.255 inside
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    username syrus password encrypted privilege 15
    username ITIVPN password encrypted privilege 15
    terminal width 80
    Cryptochecksum:
    : end
    patelbg, Jun 6, 2005
    #1
    1. Advertising

  2. "patelbg" <> wrote:

    > I new to Cisco firewalls and require some help setting up
    > Cisco VPN Split Tunnels. I've pasted my Config with this
    > message. I think the config should enable me to provide
    > Spilt Tunnel VPN


    Well,

    I think that you should be more specific. It doesn't work,
    right? Then what are the symptoms and what have you already
    done in order to solve the problem? Now you are asking us
    to figure out by ourselves what you're up to.
    Jyri Korhonen, Jun 6, 2005
    #2
    1. Advertising

  3. patelbg

    patelbg Guest

    Sorry...

    Yes it is not working.... I have not done much yet I was looking for a
    place to start from.

    I have an access list which covers the VPN

    access-list ITIVPN_splitTunnelAcl permit ip ITI 255.255.255.0 any
    access-list ITIVPN_splitTunnelAcl permit ip 10.100.100.0 255.255.255.0
    any

    and configured VPN via the PDM on the PIX

    vpngroup ITIVPN address-pool vpnpool1
    vpngroup ITIVPN dns-server 199.100.1.31 199.100.1.33
    vpngroup ITIVPN default-domain iti.arabbank.plc
    vpngroup ITIVPN split-tunnel ITIVPN_splitTunnelAcl
    vpngroup ITIVPN split-dns iti.arabbank.plc arabbank.plc
    vpngroup ITIVPN idle-time 1800
    vpngroup ITIVPN password ********

    Basically when we connect over VPN... we cannot access the Internet. I
    am not sure where I have gone wrong.

    We have an internal network unforuntaly, the old administrator created
    it using an address scheme of 199.x.x.x/24. Not good as it does
    conform to normal IP standards for an internal network.

    I've created a VPN pool of 10.100.100.0/8 which allows access to the
    internal subnet

    I was wondering if someone could point me in the right direction to why
    split tunneling is not working ??

    Thanks in Advance
    patelbg, Jun 7, 2005
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. a.nonny mouse
    Replies:
    2
    Views:
    1,089
  2. Jon L. Miller
    Replies:
    1
    Views:
    16,530
    Dumbkid
    Feb 7, 2005
  3. Replies:
    11
    Views:
    1,513
  4. Rohan
    Replies:
    1
    Views:
    1,364
    tweety
    Nov 29, 2006
  5. brane

    cisco 871 vpn split tunnel

    brane, Jun 19, 2007, in forum: Cisco
    Replies:
    0
    Views:
    591
    brane
    Jun 19, 2007
Loading...

Share This Page