?
Solved

PIX 515E SPLIT TUNNEL

Posted on 2009-07-07
1
Medium Priority
?
1,143 Views
Last Modified: 2013-11-16
I have installed a PIX and cannot seems to get the VPN Split Tunnel working correctly ..
The VPN connects but internet access is lost on the local PC.

Can someone help me out and also take a general look at my setup offering any advice / changes.

Thankyou
PIX Version 7.2(4) 
!
hostname pixfirewall
domain-name xxxxxxxx.co.uk
enable password xxxxxxxxxxxx encrypted
passwd xxxxxxxxxx encrypted
names
name 10.0.0.0 Inside_Network description Inside_Network
name 10.0.0.250 WebServer description WebServer
name 192.168.1.0 VPNGROUP description VPNGROUP
name 192.168.0.250 Webcam description Webcam
name 10.0.0.249 Media_Server_1 description Media_Server_1
name 10.0.0.21 NAS_USB description NAS_USB
name 10.0.0.254 Slingmedia description Slingmedia
!
interface Ethernet0
 nameif outside
 security-level 0
 ip address dhcp setroute 
!
interface Ethernet1
 nameif inside
 security-level 100
 ip address 10.0.0.1 255.255.255.0 
!
interface Ethernet2
 nameif dmz
 security-level 50
 ip address 192.168.0.1 255.255.255.0 
!
banner exec ####################################
banner exec ##### Welcome to xxxxxxxx.co.uk#####
banner exec ####################################
banner exec ####### No Unathorized Access#######
banner exec ####################################
banner login ####################################
banner login ##### Welcome to xxxxxxxx.co.uk#####
banner login ####################################
banner login ####### No Unathorized Access#######
banner login ####################################
boot system flash:/pix724.bin
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns server-group DefaultDNS
 domain-name xxxxxxx.co.uk
object-group service Webcam tcp
 description Webcam
 port-object eq 4550
 port-object eq 5550
 port-object eq 6550
 port-object eq 3550
 port-object eq 5066
 port-object eq 6009
 port-object eq 5511
 port-object eq 8866
 port-object eq www
 port-object eq 8554
object-group service FTP_Complete tcp
 description FTP_Complete
 port-object eq ftp
 port-object eq ftp-data
object-group service Webcam_udp udp
 description Webcam_udp
 port-object range 1730 17380
access-list outside_access_in extended deny icmp any any 
access-list outside_access_in extended permit tcp any interface outside eq 5001 
access-list outside_access_in extended permit udp any interface outside eq 5001 
access-list outside_access_in extended permit udp any interface outside object-group Webcam_udp 
access-list outside_access_in extended permit tcp any interface outside object-group Webcam 
access-list outside_access_in extended permit tcp any interface outside eq ftp-data 
access-list outside_access_in extended permit tcp any interface outside eq ftp 
access-list 150 remark ***VPN-Client Split Tunnel***
access-list 150 extended permit ip Inside_Network 255.255.255.0 VPNGROUP 255.255.255.0 
access-list no-nat-vpn extended permit ip Inside_Network 255.255.255.0 192.168.0.0 255.255.255.0 
access-list no-nat-vpn extended permit ip any VPNGROUP 255.255.255.192 
access-list outside_in extended permit icmp any host WebServer unreachable 
access-list outside_in extended permit icmp any host WebServer time-exceeded 
access-list outside_in extended permit icmp any host WebServer echo-reply 
access-list inside_access_in extended permit icmp any any 
access-list inside_access_in extended permit ip any any 
access-list DMZ_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 Inside_Network 255.255.255.0 
access-list DMZ_nat0_outbound extended permit ip any VPNGROUP 255.255.255.192 
access-list DMZ_access_in extended permit tcp host Webcam host WebServer eq domain 
access-list DMZ_access_in extended permit udp host Webcam host WebServer eq domain 
access-list DMZ_access_in extended permit ip any any 
access-list DMZ_access_in extended permit icmp any any 
access-list inside_access_in_1 extended permit ip any any 
access-list VPNGROUP_splitTunnelAcl standard permit any 
access-list VPNGROUP_splitTunnelAcl_1 standard permit VPNGROUP 255.255.255.0 
access-list VPNGROUP_splitTunnelAcl_2 standard permit any 
access-list VPNGROUP_splitTunnelAcl_3 standard permit any 
access-list VPNGROUP_splitTunnelAcl_4 standard permit any 
access-list VPNGROUP_splitTunnelAcl_5 standard permit any 
pager lines 10
logging enable
logging timestamp
logging standby
logging emblem
logging asdm-buffer-size 512
logging console warnings
logging monitor warnings
logging buffered notifications
logging trap informational
logging asdm warnings
logging facility 16
logging host inside WebServer format emblem
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip local pool vpnpool 192.168.1.20-192.168.1.50 mask 255.255.255.0
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
asdm image flash:/asdm-524.bin
asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list no-nat-vpn
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 0 access-list DMZ_nat0_outbound
nat (dmz) 1 192.168.0.0 255.255.255.0
static (dmz,outside) tcp interface 3550 Webcam 3550 netmask 255.255.255.255 
static (dmz,outside) tcp interface 5511 Webcam 5511 netmask 255.255.255.255 
static (dmz,outside) tcp interface 8866 Webcam 8866 netmask 255.255.255.255 
static (dmz,outside) tcp interface 6550 Webcam 6550 netmask 255.255.255.255 
static (dmz,outside) tcp interface 6009 Webcam 6009 netmask 255.255.255.255 
static (dmz,outside) tcp interface 5550 Webcam 5550 netmask 255.255.255.255 
static (dmz,outside) tcp interface 5066 Webcam 5066 netmask 255.255.255.255 
static (dmz,outside) tcp interface 4550 Webcam 4550 netmask 255.255.255.255 
static (dmz,outside) tcp interface www Webcam www netmask 255.255.255.255 
static (inside,outside) tcp interface 5001 Slingmedia 5001 netmask 255.255.255.255 
static (inside,outside) udp interface 5001 Slingmedia 5001 netmask 255.255.255.255 
static (inside,outside) tcp interface ftp-data NAS_USB ftp-data netmask 255.255.255.255 
static (inside,outside) tcp interface ftp NAS_USB ftp netmask 255.255.255.255 
access-group outside_access_in in interface outside
access-group inside_access_in_1 in interface inside
access-group DMZ_access_in in interface dmz
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa-server clientauth protocol radius
aaa-server clientauth (inside) host WebServer
 key xxxxxxxx
 radius-common-pw xxxxxxxxxx
aaa-server VPNuser protocol radius
aaa-server VPNuser (inside) host WebServer
 timeout 5
 key xxxxxxxxxx
http server enable
http Inside_Network 255.255.255.0 inside
http VPNGROUP 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
auth-prompt accept Client Auth has been accepted 
auth-prompt reject Client Auth has been rejected 
crypto ipsec transform-set trmset1 esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp identity address 
crypto isakmp enable outside
crypto isakmp enable inside
crypto isakmp policy 10
 authentication rsa-sig
 encryption des
 hash sha
 group 1
 lifetime 86400
crypto isakmp policy 20
 authentication pre-share
 encryption des
 hash md5
 group 2
 lifetime 86400
crypto isakmp policy 40
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 60
 authentication pre-share
 encryption 3des
 hash sha
 group 5
 lifetime 86400
crypto isakmp nat-traversal  20
telnet Inside_Network 255.255.255.0 inside
telnet timeout 60
ssh timeout 5
console timeout 15
group-policy VPNGROUP internal
group-policy VPNGROUP attributes
 wins-server value 10.0.0.250
 dns-server value 10.0.0.250
 vpn-tunnel-protocol IPSec 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value VPNGROUP_splitTunnelAcl_5
 default-domain value xxxxxx.co.uk
username xxxxx password xxxxxxxx encrypted privilege 15
tunnel-group VPNGROUP type ipsec-ra
tunnel-group VPNGROUP general-attributes
 address-pool vpnpool
 authentication-server-group VPNuser LOCAL
 default-group-policy VPNGROUP
tunnel-group VPNGROUP ipsec-attributes
 pre-shared-key *
 isakmp keepalive disable
!
class-map global-class
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global-policy
 class global-class
  inspect ctiqbe 
  inspect dcerpc 
  inspect dns 
  inspect esmtp 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect http 
  inspect icmp 
  inspect icmp error 
  inspect ils 
  inspect ipsec-pass-thru 
  inspect mgcp 
  inspect netbios 
  inspect pptp 
  inspect rsh 
  inspect rtsp 
  inspect sip 
  inspect skinny 
  inspect snmp 
  inspect sqlnet 
  inspect sunrpc 
  inspect tftp 
  inspect waas 
  inspect xdmcp 
!
service-policy global-policy global
prompt hostname context

Open in new window

0
Comment
Question by:Mongo Peck
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 
LVL 28

Accepted Solution

by:
asavener earned 2000 total points
ID: 24803610
"access-list VPNGROUP_splitTunnelAcl_5 standard permit any"

group-policy VPNGROUP attributes
 split-tunnel-network-list value VPNGROUP_splitTunnelAcl_5



The access list specifies that all traffic is to be tunneled.  Modify the VPNGROUP_splitTunnelAcl_5 access list so that only the subnets at the VPN head-end are specified.
0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Ready to improve network connectivity? Watch this webinar to learn how SD-WANs and a one-click instant connect tool can boost provisions, deployment, and management of your cloud connection.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There’s a movement in Information Technology (IT), and while it’s hard to define, it is gaining momentum. Some call it “stream-lined IT;” others call it “thin-model IT.”
You deserve ‘straight talk’ from your cloud provider about your risk, your costs, security, uptime and the processes that are in place to protect your mission-critical applications.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question