Link to home
Start Free TrialLog in
Avatar of Mongo Peck
Mongo Peck

asked on

PIX 515E SPLIT TUNNEL

I have installed a PIX and cannot seems to get the VPN Split Tunnel working correctly ..
The VPN connects but internet access is lost on the local PC.

Can someone help me out and also take a general look at my setup offering any advice / changes.

Thankyou
PIX Version 7.2(4) 
!
hostname pixfirewall
domain-name xxxxxxxx.co.uk
enable password xxxxxxxxxxxx encrypted
passwd xxxxxxxxxx encrypted
names
name 10.0.0.0 Inside_Network description Inside_Network
name 10.0.0.250 WebServer description WebServer
name 192.168.1.0 VPNGROUP description VPNGROUP
name 192.168.0.250 Webcam description Webcam
name 10.0.0.249 Media_Server_1 description Media_Server_1
name 10.0.0.21 NAS_USB description NAS_USB
name 10.0.0.254 Slingmedia description Slingmedia
!
interface Ethernet0
 nameif outside
 security-level 0
 ip address dhcp setroute 
!
interface Ethernet1
 nameif inside
 security-level 100
 ip address 10.0.0.1 255.255.255.0 
!
interface Ethernet2
 nameif dmz
 security-level 50
 ip address 192.168.0.1 255.255.255.0 
!
banner exec ####################################
banner exec ##### Welcome to xxxxxxxx.co.uk#####
banner exec ####################################
banner exec ####### No Unathorized Access#######
banner exec ####################################
banner login ####################################
banner login ##### Welcome to xxxxxxxx.co.uk#####
banner login ####################################
banner login ####### No Unathorized Access#######
banner login ####################################
boot system flash:/pix724.bin
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns server-group DefaultDNS
 domain-name xxxxxxx.co.uk
object-group service Webcam tcp
 description Webcam
 port-object eq 4550
 port-object eq 5550
 port-object eq 6550
 port-object eq 3550
 port-object eq 5066
 port-object eq 6009
 port-object eq 5511
 port-object eq 8866
 port-object eq www
 port-object eq 8554
object-group service FTP_Complete tcp
 description FTP_Complete
 port-object eq ftp
 port-object eq ftp-data
object-group service Webcam_udp udp
 description Webcam_udp
 port-object range 1730 17380
access-list outside_access_in extended deny icmp any any 
access-list outside_access_in extended permit tcp any interface outside eq 5001 
access-list outside_access_in extended permit udp any interface outside eq 5001 
access-list outside_access_in extended permit udp any interface outside object-group Webcam_udp 
access-list outside_access_in extended permit tcp any interface outside object-group Webcam 
access-list outside_access_in extended permit tcp any interface outside eq ftp-data 
access-list outside_access_in extended permit tcp any interface outside eq ftp 
access-list 150 remark ***VPN-Client Split Tunnel***
access-list 150 extended permit ip Inside_Network 255.255.255.0 VPNGROUP 255.255.255.0 
access-list no-nat-vpn extended permit ip Inside_Network 255.255.255.0 192.168.0.0 255.255.255.0 
access-list no-nat-vpn extended permit ip any VPNGROUP 255.255.255.192 
access-list outside_in extended permit icmp any host WebServer unreachable 
access-list outside_in extended permit icmp any host WebServer time-exceeded 
access-list outside_in extended permit icmp any host WebServer echo-reply 
access-list inside_access_in extended permit icmp any any 
access-list inside_access_in extended permit ip any any 
access-list DMZ_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 Inside_Network 255.255.255.0 
access-list DMZ_nat0_outbound extended permit ip any VPNGROUP 255.255.255.192 
access-list DMZ_access_in extended permit tcp host Webcam host WebServer eq domain 
access-list DMZ_access_in extended permit udp host Webcam host WebServer eq domain 
access-list DMZ_access_in extended permit ip any any 
access-list DMZ_access_in extended permit icmp any any 
access-list inside_access_in_1 extended permit ip any any 
access-list VPNGROUP_splitTunnelAcl standard permit any 
access-list VPNGROUP_splitTunnelAcl_1 standard permit VPNGROUP 255.255.255.0 
access-list VPNGROUP_splitTunnelAcl_2 standard permit any 
access-list VPNGROUP_splitTunnelAcl_3 standard permit any 
access-list VPNGROUP_splitTunnelAcl_4 standard permit any 
access-list VPNGROUP_splitTunnelAcl_5 standard permit any 
pager lines 10
logging enable
logging timestamp
logging standby
logging emblem
logging asdm-buffer-size 512
logging console warnings
logging monitor warnings
logging buffered notifications
logging trap informational
logging asdm warnings
logging facility 16
logging host inside WebServer format emblem
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip local pool vpnpool 192.168.1.20-192.168.1.50 mask 255.255.255.0
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
asdm image flash:/asdm-524.bin
asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list no-nat-vpn
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 0 access-list DMZ_nat0_outbound
nat (dmz) 1 192.168.0.0 255.255.255.0
static (dmz,outside) tcp interface 3550 Webcam 3550 netmask 255.255.255.255 
static (dmz,outside) tcp interface 5511 Webcam 5511 netmask 255.255.255.255 
static (dmz,outside) tcp interface 8866 Webcam 8866 netmask 255.255.255.255 
static (dmz,outside) tcp interface 6550 Webcam 6550 netmask 255.255.255.255 
static (dmz,outside) tcp interface 6009 Webcam 6009 netmask 255.255.255.255 
static (dmz,outside) tcp interface 5550 Webcam 5550 netmask 255.255.255.255 
static (dmz,outside) tcp interface 5066 Webcam 5066 netmask 255.255.255.255 
static (dmz,outside) tcp interface 4550 Webcam 4550 netmask 255.255.255.255 
static (dmz,outside) tcp interface www Webcam www netmask 255.255.255.255 
static (inside,outside) tcp interface 5001 Slingmedia 5001 netmask 255.255.255.255 
static (inside,outside) udp interface 5001 Slingmedia 5001 netmask 255.255.255.255 
static (inside,outside) tcp interface ftp-data NAS_USB ftp-data netmask 255.255.255.255 
static (inside,outside) tcp interface ftp NAS_USB ftp netmask 255.255.255.255 
access-group outside_access_in in interface outside
access-group inside_access_in_1 in interface inside
access-group DMZ_access_in in interface dmz
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa-server clientauth protocol radius
aaa-server clientauth (inside) host WebServer
 key xxxxxxxx
 radius-common-pw xxxxxxxxxx
aaa-server VPNuser protocol radius
aaa-server VPNuser (inside) host WebServer
 timeout 5
 key xxxxxxxxxx
http server enable
http Inside_Network 255.255.255.0 inside
http VPNGROUP 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
auth-prompt accept Client Auth has been accepted 
auth-prompt reject Client Auth has been rejected 
crypto ipsec transform-set trmset1 esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp identity address 
crypto isakmp enable outside
crypto isakmp enable inside
crypto isakmp policy 10
 authentication rsa-sig
 encryption des
 hash sha
 group 1
 lifetime 86400
crypto isakmp policy 20
 authentication pre-share
 encryption des
 hash md5
 group 2
 lifetime 86400
crypto isakmp policy 40
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 60
 authentication pre-share
 encryption 3des
 hash sha
 group 5
 lifetime 86400
crypto isakmp nat-traversal  20
telnet Inside_Network 255.255.255.0 inside
telnet timeout 60
ssh timeout 5
console timeout 15
group-policy VPNGROUP internal
group-policy VPNGROUP attributes
 wins-server value 10.0.0.250
 dns-server value 10.0.0.250
 vpn-tunnel-protocol IPSec 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value VPNGROUP_splitTunnelAcl_5
 default-domain value xxxxxx.co.uk
username xxxxx password xxxxxxxx encrypted privilege 15
tunnel-group VPNGROUP type ipsec-ra
tunnel-group VPNGROUP general-attributes
 address-pool vpnpool
 authentication-server-group VPNuser LOCAL
 default-group-policy VPNGROUP
tunnel-group VPNGROUP ipsec-attributes
 pre-shared-key *
 isakmp keepalive disable
!
class-map global-class
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global-policy
 class global-class
  inspect ctiqbe 
  inspect dcerpc 
  inspect dns 
  inspect esmtp 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect http 
  inspect icmp 
  inspect icmp error 
  inspect ils 
  inspect ipsec-pass-thru 
  inspect mgcp 
  inspect netbios 
  inspect pptp 
  inspect rsh 
  inspect rtsp 
  inspect sip 
  inspect skinny 
  inspect snmp 
  inspect sqlnet 
  inspect sunrpc 
  inspect tftp 
  inspect waas 
  inspect xdmcp 
!
service-policy global-policy global
prompt hostname context

Open in new window

ASKER CERTIFIED SOLUTION
Avatar of asavener
asavener
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial