Split-Tunneling on a PIX LAN-to-LAN Ipsec Tunnel

Discussion in 'Cisco' started by Greg, Dec 7, 2006.

  1. Greg

    Greg Guest

    I've set up split-tunneling on a PIX for VPN clients but this is the
    first for PIX-to-PIX tunnel. Is there a way of setting up the spoke PIX
    in a LAN-to-LAN Ipsec Tunnel to do split-tunneling?

    Is this done through a access-list instead of a command? I've set up
    split-tunneling on a PIX for VPN clients but this is the first for
    PIX-to-PIX tunnel.
     
    Greg, Dec 7, 2006
    #1
    1. Advertising

  2. In article <>,
    Greg <> wrote:

    >I've set up split-tunneling on a PIX for VPN clients but this is the
    >first for PIX-to-PIX tunnel. Is there a way of setting up the spoke PIX
    >in a LAN-to-LAN Ipsec Tunnel to do split-tunneling?
    >Is this done through a access-list instead of a command? I've set up
    >split-tunneling on a PIX for VPN clients but this is the first for
    >PIX-to-PIX tunnel.


    Your LAN-to-LAN tunnel will be written in terms of crypto map policy,
    one item of which will be a "match address" clause that indicates
    an ACL name. Anything matched by that ACL *after all relevant translations*
    if sent through the VPN. So if you want the effect of split-tunnel,
    make the ACL match only that which you want to send over.

    Note: the match address ACL should be written as for what you
    would expect for data from the interior out of the PIX; the ACL
    will automatically be read "backwards" for incoming traffic.
     
    Walter Roberson, Dec 7, 2006
    #2
    1. Advertising

  3. Greg

    Greg Guest

    So it IS done through access-list.

    Thanks!


    Walter Roberson wrote:
    > In article <>,
    > Greg <> wrote:
    >
    > >I've set up split-tunneling on a PIX for VPN clients but this is the
    > >first for PIX-to-PIX tunnel. Is there a way of setting up the spoke PIX
    > >in a LAN-to-LAN Ipsec Tunnel to do split-tunneling?
    > >Is this done through a access-list instead of a command? I've set up
    > >split-tunneling on a PIX for VPN clients but this is the first for
    > >PIX-to-PIX tunnel.

    >
    > Your LAN-to-LAN tunnel will be written in terms of crypto map policy,
    > one item of which will be a "match address" clause that indicates
    > an ACL name. Anything matched by that ACL *after all relevant translations*
    > if sent through the VPN. So if you want the effect of split-tunnel,
    > make the ACL match only that which you want to send over.
    >
    > Note: the match address ACL should be written as for what you
    > would expect for data from the interior out of the PIX; the ACL
    > will automatically be read "backwards" for incoming traffic.
     
    Greg, Dec 8, 2006
    #3
  4. Greg

    Greg Guest

    So it IS done through access-list.

    Thanks!


    Walter Roberson wrote:
    > In article <>,
    > Greg <> wrote:
    >
    > >I've set up split-tunneling on a PIX for VPN clients but this is the
    > >first for PIX-to-PIX tunnel. Is there a way of setting up the spoke PIX
    > >in a LAN-to-LAN Ipsec Tunnel to do split-tunneling?
    > >Is this done through a access-list instead of a command? I've set up
    > >split-tunneling on a PIX for VPN clients but this is the first for
    > >PIX-to-PIX tunnel.

    >
    > Your LAN-to-LAN tunnel will be written in terms of crypto map policy,
    > one item of which will be a "match address" clause that indicates
    > an ACL name. Anything matched by that ACL *after all relevant translations*
    > if sent through the VPN. So if you want the effect of split-tunnel,
    > make the ACL match only that which you want to send over.
    >
    > Note: the match address ACL should be written as for what you
    > would expect for data from the interior out of the PIX; the ACL
    > will automatically be read "backwards" for incoming traffic.
     
    Greg, Dec 8, 2006
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Pinko_Commie

    PIX, VPN, Split Tunneling, IPOOL

    Pinko_Commie, Sep 13, 2004, in forum: Cisco
    Replies:
    1
    Views:
    765
    Erik Tamminga
    Sep 13, 2004
  2. a.nonny mouse
    Replies:
    2
    Views:
    1,127
  3. Bob Smith
    Replies:
    3
    Views:
    5,809
    Bob Smith
    Nov 10, 2004
  4. Arjan
    Replies:
    0
    Views:
    909
    Arjan
    Nov 2, 2005
  5. Greg
    Replies:
    0
    Views:
    496
Loading...

Share This Page