Cisco VPN Split Tunnel

[patelbg2003]

Hi All


I am new to Cisco firewalls and require some help setting up Cisco VPN Split Tunnels. I've pasted my Config with this message. I think the config sgould enable me to provide Spilt Tunnel VPN but it does not work. Does anyone have any ideas why??


Best Regards


Bhavesh


PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
interface ethernet3 auto shutdown
interface ethernet4 auto shutdown
interface ethernet5 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ security10
nameif ethernet3 intf3 security6
nameif ethernet4 intf4 security8
nameif ethernet5 ABLlocal security99
enable password encrypted
passwd encrypted
hostname IGW-GB-LO-ITI-FW1
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 199.100.1.63 BhaveshsPC
name 199.100.1.62 VahidsPC
name Vahid-Home
name 199.100.1.30 AVSrv
name 199.100.1.34 ITI00-EXC01
name 199.100.1.32 ITI00-EFE01
name 192.168.154.2 OWAInside
name 192.168.154.30 MailSweeper
name 192.168.154.25 OWAServer
name 199.100.1.21 ITI_AS_400
name 199.100.1.50 Track-IT
name 10.75.5.0 ArabellaVL5
name 10.75.27.0 ArabellaVL27
name 10.75.7.0 ArabellaVL7
name 10.75.25.0 ArabellaVL25
name 0.0.0.0 ABLlocal
name 199.100.1.0 ITI
name 10.75.100.0 Arabellalocal
name 84.9.60.140 Vahid-PC
name 199.100.1.61 MOFO2
name 199.100.1.174 server1
object-group network StaticIPs
network-object VahidsPC 255.255.255.255
network-object BhaveshsPC 255.255.255.255
access-list acl_in permit tcp host ITI00-EFE01 host MailSweeper eq smtp


access-list acl_in permit tcp host BhaveshsPC interface outside eq 3389


access-list acl_in permit udp any any eq domain
access-list acl_in permit tcp any any eq www
access-list acl_in permit tcp any any eq https
access-list acl_in permit tcp host AVSrv any eq ftp
access-list acl_in permit tcp host ITI00-EXC01 any eq ftp
access-list acl_in permit tcp any any eq ftp
access-list acl_in permit tcp any any eq 3101
access-list acl_in permit tcp any any eq 3389
access-list acl_in permit tcp any any eq pcanywhere-data
access-list acl_in permit tcp any any eq 5632
access-list acl_in permit icmp host BhaveshsPC any
access-list acl_in permit icmp host VahidsPC any
access-list acl_in permit tcp any any eq 8080
access-list acl_in permit tcp any any eq 1433
access-list acl_in permit tcp any any eq 3666
access-list acl_in permit ip host server1 10.100.100.0 255.255.255.0
access-list acl_in deny ip any any
access-list acl_out permit tcp any host 213.86.97.44 eq https
access-list acl_out permit tcp any host 213.86.97.45 eq smtp
access-list acl_out permit ip 10.100.100.0 255.255.255.0 any
access-list acl_out permit icmp any any echo-reply
access-list acl_out permit icmp any any time-exceeded
access-list acl_out permit icmp any any unreachable
access-list acl_out permit icmp any any parameter-problem
access-list acl_out deny ip any any
access-list acl_dmz permit tcp host MailSweeper any eq smtp
access-list acl_dmz permit tcp host OWAInside any eq https
access-list acl_dmz permit tcp host OWAServer any eq https
access-list acl_dmz permit tcp host MailSweeper host ITI00-EFE01 eq
smtp
access-list acl_dmz permit tcp host OWAInside host ITI00-EXC01 eq www
access-list acl_dmz permit udp host OWAServer any eq domain
access-list acl_dmz permit udp host OWAInside any eq domain
access-list acl_dmz permit tcp host MailSweeper any eq ftp
access-list acl_dmz permit tcp host MailSweeper any eq https
access-list acl_dmz permit udp host MailSweeper any eq domain
access-list acl_dmz permit udp any any eq domain
access-list acl_dmz permit tcp host OWAServer any eq www
access-list acl_dmz permit tcp host MailSweeper any eq www
access-list acl_dmz permit tcp host OWAInside any eq www
access-list acl_dmz deny ip any any
access-list 102 permit ip any 10.100.100.0 255.255.255.0
access-list 102 permit ip ITI 255.255.255.0 192.168.220.0
255.255.255.224
access-list ABLlocal_access_in permit tcp any any eq www
access-list ABLlocal_access_in permit tcp any any eq https
access-list ABLlocal_access_in permit udp any any
access-list ABLlocal_access_in permit tcp any any eq 8080
access-list ABLlocal_access_in permit tcp any any eq ftp
access-list ABLlocal_access_in permit tcp any any eq ftp-data
access-list ABLlocal_access_in permit icmp any any echo-reply
access-list ABLlocal_access_in permit icmp any any traceroute
access-list ABLlocal_access_in deny ip any any
access-list ITIVPN_splitTunnelAcl permit ip ITI 255.255.255.0 any
access-list ITIVPN_splitTunnelAcl permit ip 10.100.100.0 255.255.255.0
any
pager lines 24
logging on
logging timestamp
logging buffered warnings
logging trap critical
logging host inside BhaveshsPC
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
mtu intf3 1500
mtu intf4 1500
mtu ABLlocal 1500
ip address outside 213.86.97.41 255.255.255.248
ip address inside 199.100.1.252 255.255.255.0
ip address DMZ 192.168.154.254 255.255.255.0
no ip address intf3
no ip address intf4
ip address ABLlocal 10.75.100.252 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnpool1 10.100.100.1-10.100.100.254
failover
failover timeout 0:00:00
failover poll 15
failover ip address outside
failover ip address inside 199.100.1.253
failover ip address DMZ 192.168.154.253
no failover ip address intf3
no failover ip address intf4
no failover ip address ABLlocal
pdm location ITI00-EFE01 255.255.255.255 inside
pdm location ITI00-EXC01 255.255.255.255 inside
pdm location BhaveshsPC 255.255.255.255 inside
pdm location OWAInside 255.255.255.255 DMZ
pdm location OWAServer 255.255.255.255 DMZ
pdm location MailSweeper 255.255.255.255 DMZ
pdm location VahidsPC 255.255.255.255 inside
pdm location Vahid-Home 255.255.255.255 outside
pdm location AVSrv 255.255.255.255 inside
pdm location 10.100.100.0 255.255.255.0 outside
pdm location ITI_AS_400 255.255.255.255 inside
pdm location Track-IT 255.255.255.255 inside
pdm location OWAInside 255.255.255.255 outside
pdm location MailSweeper 255.255.255.255 outside
pdm location ArabellaVL5 255.255.255.0 inside
pdm location ArabellaVL7 255.255.255.0 inside
pdm location ArabellaVL25 255.255.255.0 inside
pdm location ArabellaVL27 255.255.255.0 inside
pdm location Vahid-PC 255.255.255.255 outside
pdm location MOFO2 255.255.255.255 inside
pdm location server1 255.255.255.255 inside
pdm group StaticIPs inside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 102
nat (inside) 1 ABLlocal 0.0.0.0 0 0
nat (DMZ) 1 ABLlocal 0.0.0.0 0 0
nat (ABLlocal) 1 ABLlocal 0.0.0.0 0 0
static (DMZ,outside) OWAServer netmask 255.255.255.255 0 0
static (DMZ,outside) MailSweeper netmask 255.255.255.255 0 0
static (inside,DMZ) ITI00-EFE01 ITI00-EFE01 netmask 255.255.255.255 0 0


static (inside,DMZ) AVSrv AVSrv netmask 255.255.255.255 0 0
static (inside,DMZ) BhaveshsPC BhaveshsPC netmask 255.255.255.255 0 0
static (inside,DMZ) ITI00-EXC01 ITI00-EXC01 netmask 255.255.255.255 0 0


static (inside,DMZ) ITI_AS_400 ITI_AS_400 netmask 255.255.255.255 0 0
static (inside,outside) ITI_AS_400 ITI_AS_400 netmask 255.255.255.255 0
0
access-group acl_out in interface outside
access-group acl_in in interface inside
access-group acl_dmz in interface DMZ
access-group ABLlocal_access_in in interface ABLlocal
route outside ABLlocal ABLlocal 213.86.97.46 1
route inside ArabellaVL5 255.255.255.0 199.100.1.240 1
route inside ArabellaVL7 255.255.255.0 199.100.1.240 1
route inside ArabellaVL25 255.255.255.0 199.100.1.240 1
route inside ArabellaVL27 255.255.255.0 199.100.1.240 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http BhaveshsPC 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community china3com
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ABITI esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map AB2 10 set transform-set ABITI
crypto map AB1 10 ipsec-isakmp dynamic AB2
crypto map AB1 interface outside
isakmp enable outside
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup ITIVPN address-pool vpnpool1
vpngroup ITIVPN dns-server 199.100.1.31 199.100.1.33
vpngroup ITIVPN default-domain iti.arabbank.plc
vpngroup ITIVPN split-tunnel ITIVPN_splitTunnelAcl
vpngroup ITIVPN split-dns iti.arabbank.plc arabbank.plc
vpngroup ITIVPN idle-time 1800
vpngroup ITIVPN password ********
telnet BhaveshsPC 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
username syrus password encrypted privilege 15
username ITIVPN password encrypted privilege 15
terminal width 80
Cryptochecksum:
: end

 

[Hecmeister]

patelbg2003,

I don't see anything obviously wrong in your config.

There is a quick suggestion I wanted to make. I see that you end all your ACLs with a deny all. The only benefit that this gives you is that when you do a "show access-list" the number of times an ACL has dropped traffic will show. If you want to see that, then ignore this message. Otherwise, I suggest that you remove those statements and rely on the implicit deny all imherent to all Cisco devices.

The reason you don't want to have an explict deny all, is that if you add a statement to the ACL and forget to use line numbers to place it in the correct line, you will place that ACL line BELOW the deny all, rendering that line unseless.

Just a friendly FYI.