Mongo Peck
asked on
PIX 515E SPLIT TUNNEL
I have installed a PIX and cannot seems to get the VPN Split Tunnel working correctly ..
The VPN connects but internet access is lost on the local PC.
Can someone help me out and also take a general look at my setup offering any advice / changes.
Thankyou
The VPN connects but internet access is lost on the local PC.
Can someone help me out and also take a general look at my setup offering any advice / changes.
Thankyou
PIX Version 7.2(4)
!
hostname pixfirewall
domain-name xxxxxxxx.co.uk
enable password xxxxxxxxxxxx encrypted
passwd xxxxxxxxxx encrypted
names
name 10.0.0.0 Inside_Network description Inside_Network
name 10.0.0.250 WebServer description WebServer
name 192.168.1.0 VPNGROUP description VPNGROUP
name 192.168.0.250 Webcam description Webcam
name 10.0.0.249 Media_Server_1 description Media_Server_1
name 10.0.0.21 NAS_USB description NAS_USB
name 10.0.0.254 Slingmedia description Slingmedia
!
interface Ethernet0
nameif outside
security-level 0
ip address dhcp setroute
!
interface Ethernet1
nameif inside
security-level 100
ip address 10.0.0.1 255.255.255.0
!
interface Ethernet2
nameif dmz
security-level 50
ip address 192.168.0.1 255.255.255.0
!
banner exec ####################################
banner exec ##### Welcome to xxxxxxxx.co.uk#####
banner exec ####################################
banner exec ####### No Unathorized Access#######
banner exec ####################################
banner login ####################################
banner login ##### Welcome to xxxxxxxx.co.uk#####
banner login ####################################
banner login ####### No Unathorized Access#######
banner login ####################################
boot system flash:/pix724.bin
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns server-group DefaultDNS
domain-name xxxxxxx.co.uk
object-group service Webcam tcp
description Webcam
port-object eq 4550
port-object eq 5550
port-object eq 6550
port-object eq 3550
port-object eq 5066
port-object eq 6009
port-object eq 5511
port-object eq 8866
port-object eq www
port-object eq 8554
object-group service FTP_Complete tcp
description FTP_Complete
port-object eq ftp
port-object eq ftp-data
object-group service Webcam_udp udp
description Webcam_udp
port-object range 1730 17380
access-list outside_access_in extended deny icmp any any
access-list outside_access_in extended permit tcp any interface outside eq 5001
access-list outside_access_in extended permit udp any interface outside eq 5001
access-list outside_access_in extended permit udp any interface outside object-group Webcam_udp
access-list outside_access_in extended permit tcp any interface outside object-group Webcam
access-list outside_access_in extended permit tcp any interface outside eq ftp-data
access-list outside_access_in extended permit tcp any interface outside eq ftp
access-list 150 remark ***VPN-Client Split Tunnel***
access-list 150 extended permit ip Inside_Network 255.255.255.0 VPNGROUP 255.255.255.0
access-list no-nat-vpn extended permit ip Inside_Network 255.255.255.0 192.168.0.0 255.255.255.0
access-list no-nat-vpn extended permit ip any VPNGROUP 255.255.255.192
access-list outside_in extended permit icmp any host WebServer unreachable
access-list outside_in extended permit icmp any host WebServer time-exceeded
access-list outside_in extended permit icmp any host WebServer echo-reply
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended permit ip any any
access-list DMZ_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 Inside_Network 255.255.255.0
access-list DMZ_nat0_outbound extended permit ip any VPNGROUP 255.255.255.192
access-list DMZ_access_in extended permit tcp host Webcam host WebServer eq domain
access-list DMZ_access_in extended permit udp host Webcam host WebServer eq domain
access-list DMZ_access_in extended permit ip any any
access-list DMZ_access_in extended permit icmp any any
access-list inside_access_in_1 extended permit ip any any
access-list VPNGROUP_splitTunnelAcl standard permit any
access-list VPNGROUP_splitTunnelAcl_1 standard permit VPNGROUP 255.255.255.0
access-list VPNGROUP_splitTunnelAcl_2 standard permit any
access-list VPNGROUP_splitTunnelAcl_3 standard permit any
access-list VPNGROUP_splitTunnelAcl_4 standard permit any
access-list VPNGROUP_splitTunnelAcl_5 standard permit any
pager lines 10
logging enable
logging timestamp
logging standby
logging emblem
logging asdm-buffer-size 512
logging console warnings
logging monitor warnings
logging buffered notifications
logging trap informational
logging asdm warnings
logging facility 16
logging host inside WebServer format emblem
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip local pool vpnpool 192.168.1.20-192.168.1.50 mask 255.255.255.0
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
asdm image flash:/asdm-524.bin
asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list no-nat-vpn
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 0 access-list DMZ_nat0_outbound
nat (dmz) 1 192.168.0.0 255.255.255.0
static (dmz,outside) tcp interface 3550 Webcam 3550 netmask 255.255.255.255
static (dmz,outside) tcp interface 5511 Webcam 5511 netmask 255.255.255.255
static (dmz,outside) tcp interface 8866 Webcam 8866 netmask 255.255.255.255
static (dmz,outside) tcp interface 6550 Webcam 6550 netmask 255.255.255.255
static (dmz,outside) tcp interface 6009 Webcam 6009 netmask 255.255.255.255
static (dmz,outside) tcp interface 5550 Webcam 5550 netmask 255.255.255.255
static (dmz,outside) tcp interface 5066 Webcam 5066 netmask 255.255.255.255
static (dmz,outside) tcp interface 4550 Webcam 4550 netmask 255.255.255.255
static (dmz,outside) tcp interface www Webcam www netmask 255.255.255.255
static (inside,outside) tcp interface 5001 Slingmedia 5001 netmask 255.255.255.255
static (inside,outside) udp interface 5001 Slingmedia 5001 netmask 255.255.255.255
static (inside,outside) tcp interface ftp-data NAS_USB ftp-data netmask 255.255.255.255
static (inside,outside) tcp interface ftp NAS_USB ftp netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group inside_access_in_1 in interface inside
access-group DMZ_access_in in interface dmz
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa-server clientauth protocol radius
aaa-server clientauth (inside) host WebServer
key xxxxxxxx
radius-common-pw xxxxxxxxxx
aaa-server VPNuser protocol radius
aaa-server VPNuser (inside) host WebServer
timeout 5
key xxxxxxxxxx
http server enable
http Inside_Network 255.255.255.0 inside
http VPNGROUP 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
auth-prompt accept Client Auth has been accepted
auth-prompt reject Client Auth has been rejected
crypto ipsec transform-set trmset1 esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp enable inside
crypto isakmp policy 10
authentication rsa-sig
encryption des
hash sha
group 1
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
crypto isakmp policy 40
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 60
authentication pre-share
encryption 3des
hash sha
group 5
lifetime 86400
crypto isakmp nat-traversal 20
telnet Inside_Network 255.255.255.0 inside
telnet timeout 60
ssh timeout 5
console timeout 15
group-policy VPNGROUP internal
group-policy VPNGROUP attributes
wins-server value 10.0.0.250
dns-server value 10.0.0.250
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPNGROUP_splitTunnelAcl_5
default-domain value xxxxxx.co.uk
username xxxxx password xxxxxxxx encrypted privilege 15
tunnel-group VPNGROUP type ipsec-ra
tunnel-group VPNGROUP general-attributes
address-pool vpnpool
authentication-server-group VPNuser LOCAL
default-group-policy VPNGROUP
tunnel-group VPNGROUP ipsec-attributes
pre-shared-key *
isakmp keepalive disable
!
class-map global-class
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global-policy
class global-class
inspect ctiqbe
inspect dcerpc
inspect dns
inspect esmtp
inspect ftp
inspect h323 h225
inspect h323 ras
inspect http
inspect icmp
inspect icmp error
inspect ils
inspect ipsec-pass-thru
inspect mgcp
inspect netbios
inspect pptp
inspect rsh
inspect rtsp
inspect sip
inspect skinny
inspect snmp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect waas
inspect xdmcp
!
service-policy global-policy global
prompt hostname context
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.