Solved

PIX 515E SPLIT TUNNEL

Posted on 2009-07-07
1
1,130 Views
Last Modified: 2013-11-16
I have installed a PIX and cannot seems to get the VPN Split Tunnel working correctly ..
The VPN connects but internet access is lost on the local PC.

Can someone help me out and also take a general look at my setup offering any advice / changes.

Thankyou
PIX Version 7.2(4) 

!

hostname pixfirewall

domain-name xxxxxxxx.co.uk

enable password xxxxxxxxxxxx encrypted

passwd xxxxxxxxxx encrypted

names

name 10.0.0.0 Inside_Network description Inside_Network

name 10.0.0.250 WebServer description WebServer

name 192.168.1.0 VPNGROUP description VPNGROUP

name 192.168.0.250 Webcam description Webcam

name 10.0.0.249 Media_Server_1 description Media_Server_1

name 10.0.0.21 NAS_USB description NAS_USB

name 10.0.0.254 Slingmedia description Slingmedia

!

interface Ethernet0

 nameif outside

 security-level 0

 ip address dhcp setroute 

!

interface Ethernet1

 nameif inside

 security-level 100

 ip address 10.0.0.1 255.255.255.0 

!

interface Ethernet2

 nameif dmz

 security-level 50

 ip address 192.168.0.1 255.255.255.0 

!

banner exec ####################################

banner exec ##### Welcome to xxxxxxxx.co.uk#####

banner exec ####################################

banner exec ####### No Unathorized Access#######

banner exec ####################################

banner login ####################################

banner login ##### Welcome to xxxxxxxx.co.uk#####

banner login ####################################

banner login ####### No Unathorized Access#######

banner login ####################################

boot system flash:/pix724.bin

ftp mode passive

clock timezone GMT/BST 0

clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00

dns server-group DefaultDNS

 domain-name xxxxxxx.co.uk

object-group service Webcam tcp

 description Webcam

 port-object eq 4550

 port-object eq 5550

 port-object eq 6550

 port-object eq 3550

 port-object eq 5066

 port-object eq 6009

 port-object eq 5511

 port-object eq 8866

 port-object eq www

 port-object eq 8554

object-group service FTP_Complete tcp

 description FTP_Complete

 port-object eq ftp

 port-object eq ftp-data

object-group service Webcam_udp udp

 description Webcam_udp

 port-object range 1730 17380

access-list outside_access_in extended deny icmp any any 

access-list outside_access_in extended permit tcp any interface outside eq 5001 

access-list outside_access_in extended permit udp any interface outside eq 5001 

access-list outside_access_in extended permit udp any interface outside object-group Webcam_udp 

access-list outside_access_in extended permit tcp any interface outside object-group Webcam 

access-list outside_access_in extended permit tcp any interface outside eq ftp-data 

access-list outside_access_in extended permit tcp any interface outside eq ftp 

access-list 150 remark ***VPN-Client Split Tunnel***

access-list 150 extended permit ip Inside_Network 255.255.255.0 VPNGROUP 255.255.255.0 

access-list no-nat-vpn extended permit ip Inside_Network 255.255.255.0 192.168.0.0 255.255.255.0 

access-list no-nat-vpn extended permit ip any VPNGROUP 255.255.255.192 

access-list outside_in extended permit icmp any host WebServer unreachable 

access-list outside_in extended permit icmp any host WebServer time-exceeded 

access-list outside_in extended permit icmp any host WebServer echo-reply 

access-list inside_access_in extended permit icmp any any 

access-list inside_access_in extended permit ip any any 

access-list DMZ_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 Inside_Network 255.255.255.0 

access-list DMZ_nat0_outbound extended permit ip any VPNGROUP 255.255.255.192 

access-list DMZ_access_in extended permit tcp host Webcam host WebServer eq domain 

access-list DMZ_access_in extended permit udp host Webcam host WebServer eq domain 

access-list DMZ_access_in extended permit ip any any 

access-list DMZ_access_in extended permit icmp any any 

access-list inside_access_in_1 extended permit ip any any 

access-list VPNGROUP_splitTunnelAcl standard permit any 

access-list VPNGROUP_splitTunnelAcl_1 standard permit VPNGROUP 255.255.255.0 

access-list VPNGROUP_splitTunnelAcl_2 standard permit any 

access-list VPNGROUP_splitTunnelAcl_3 standard permit any 

access-list VPNGROUP_splitTunnelAcl_4 standard permit any 

access-list VPNGROUP_splitTunnelAcl_5 standard permit any 

pager lines 10

logging enable

logging timestamp

logging standby

logging emblem

logging asdm-buffer-size 512

logging console warnings

logging monitor warnings

logging buffered notifications

logging trap informational

logging asdm warnings

logging facility 16

logging host inside WebServer format emblem

mtu outside 1500

mtu inside 1500

mtu dmz 1500

ip local pool vpnpool 192.168.1.20-192.168.1.50 mask 255.255.255.0

ip verify reverse-path interface outside

icmp unreachable rate-limit 1 burst-size 1

icmp permit any outside

icmp permit any inside

asdm image flash:/asdm-524.bin

asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list no-nat-vpn

nat (inside) 1 0.0.0.0 0.0.0.0

nat (dmz) 0 access-list DMZ_nat0_outbound

nat (dmz) 1 192.168.0.0 255.255.255.0

static (dmz,outside) tcp interface 3550 Webcam 3550 netmask 255.255.255.255 

static (dmz,outside) tcp interface 5511 Webcam 5511 netmask 255.255.255.255 

static (dmz,outside) tcp interface 8866 Webcam 8866 netmask 255.255.255.255 

static (dmz,outside) tcp interface 6550 Webcam 6550 netmask 255.255.255.255 

static (dmz,outside) tcp interface 6009 Webcam 6009 netmask 255.255.255.255 

static (dmz,outside) tcp interface 5550 Webcam 5550 netmask 255.255.255.255 

static (dmz,outside) tcp interface 5066 Webcam 5066 netmask 255.255.255.255 

static (dmz,outside) tcp interface 4550 Webcam 4550 netmask 255.255.255.255 

static (dmz,outside) tcp interface www Webcam www netmask 255.255.255.255 

static (inside,outside) tcp interface 5001 Slingmedia 5001 netmask 255.255.255.255 

static (inside,outside) udp interface 5001 Slingmedia 5001 netmask 255.255.255.255 

static (inside,outside) tcp interface ftp-data NAS_USB ftp-data netmask 255.255.255.255 

static (inside,outside) tcp interface ftp NAS_USB ftp netmask 255.255.255.255 

access-group outside_access_in in interface outside

access-group inside_access_in_1 in interface inside

access-group DMZ_access_in in interface dmz

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

aaa-server clientauth protocol radius

aaa-server clientauth (inside) host WebServer

 key xxxxxxxx

 radius-common-pw xxxxxxxxxx

aaa-server VPNuser protocol radius

aaa-server VPNuser (inside) host WebServer

 timeout 5

 key xxxxxxxxxx

http server enable

http Inside_Network 255.255.255.0 inside

http VPNGROUP 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

auth-prompt accept Client Auth has been accepted 

auth-prompt reject Client Auth has been rejected 

crypto ipsec transform-set trmset1 esp-aes-256 esp-sha-hmac 

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto isakmp identity address 

crypto isakmp enable outside

crypto isakmp enable inside

crypto isakmp policy 10

 authentication rsa-sig

 encryption des

 hash sha

 group 1

 lifetime 86400

crypto isakmp policy 20

 authentication pre-share

 encryption des

 hash md5

 group 2

 lifetime 86400

crypto isakmp policy 40

 authentication pre-share

 encryption 3des

 hash sha

 group 2

 lifetime 86400

crypto isakmp policy 60

 authentication pre-share

 encryption 3des

 hash sha

 group 5

 lifetime 86400

crypto isakmp nat-traversal  20

telnet Inside_Network 255.255.255.0 inside

telnet timeout 60

ssh timeout 5

console timeout 15

group-policy VPNGROUP internal

group-policy VPNGROUP attributes

 wins-server value 10.0.0.250

 dns-server value 10.0.0.250

 vpn-tunnel-protocol IPSec 

 split-tunnel-policy tunnelspecified

 split-tunnel-network-list value VPNGROUP_splitTunnelAcl_5

 default-domain value xxxxxx.co.uk

username xxxxx password xxxxxxxx encrypted privilege 15

tunnel-group VPNGROUP type ipsec-ra

tunnel-group VPNGROUP general-attributes

 address-pool vpnpool

 authentication-server-group VPNuser LOCAL

 default-group-policy VPNGROUP

tunnel-group VPNGROUP ipsec-attributes

 pre-shared-key *

 isakmp keepalive disable

!

class-map global-class

 match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum 512

policy-map global-policy

 class global-class

  inspect ctiqbe 

  inspect dcerpc 

  inspect dns 

  inspect esmtp 

  inspect ftp 

  inspect h323 h225 

  inspect h323 ras 

  inspect http 

  inspect icmp 

  inspect icmp error 

  inspect ils 

  inspect ipsec-pass-thru 

  inspect mgcp 

  inspect netbios 

  inspect pptp 

  inspect rsh 

  inspect rtsp 

  inspect sip 

  inspect skinny 

  inspect snmp 

  inspect sqlnet 

  inspect sunrpc 

  inspect tftp 

  inspect waas 

  inspect xdmcp 

!

service-policy global-policy global

prompt hostname context

Open in new window

0
Comment
Question by:Mongo Peck
1 Comment
 
LVL 28

Accepted Solution

by:
asavener earned 500 total points
Comment Utility
"access-list VPNGROUP_splitTunnelAcl_5 standard permit any"

group-policy VPNGROUP attributes
 split-tunnel-network-list value VPNGROUP_splitTunnelAcl_5



The access list specifies that all traffic is to be tunneled.  Modify the VPNGROUP_splitTunnelAcl_5 access list so that only the subnets at the VPN head-end are specified.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
iptables limit connection per ip correct way ? 2 36
Cisco ACS mixed versions 8 53
ASA 5510 PAT question 1 20
stacking switches 2 20
To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now