With a PIX to PIX VPN set up dosn't the access list "auto" split the tunnel and cause other trafic to follow the default gateway? I have a PIX to PIX VPN in a lab right now and can't check internet traffic going out. I need to ship it out to the remote site and would like to have it set up right before it goes. So does split tunnel need to be configured?
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Is a Split Tunnel needed with PIX to PIX VPN or not? 1
- Thread starter wholmer
- Start date
- Thread starter
- #3
when I say "Yes, it does.", I should have commented that I meant that the access list "auto" splits the traffic. As it defines "Interesting Traffic".
I am not an expert however on site-to-site configurations, so I'll let someone else help you on the config side of this one.
Computer/Network Technician
CCNA
I am not an expert however on site-to-site configurations, so I'll let someone else help you on the config side of this one.
Computer/Network Technician
CCNA
-
1
- #5
Normally, you'd specify the VPN traffic via access-list, such as:
access-list vpn permit ip 172.16.0.0 255.255.0.0 172.17.0.0 255.255.0.0
Then your crypto-map would have something like this:
crypto-map myvpn 10 match address vpn
Between them, traffic which is originates at 172.16.0.0/16 and is destined to 172.17.0.0/16 will be sent through the VPN. Any other traffic will be handled normally by the Pix.
If your access list was "permit ip any any", then all outbound traffic would go through the VPN. With the Pix this is a problem, because the site would have no internet access unless there's a proxy server or some other way to the internet from the remote side.
The short version- split tunnel is good for site-site VPNs. You activate it by specifying only the interesting traffic in the ACL.
access-list vpn permit ip 172.16.0.0 255.255.0.0 172.17.0.0 255.255.0.0
Then your crypto-map would have something like this:
crypto-map myvpn 10 match address vpn
Between them, traffic which is originates at 172.16.0.0/16 and is destined to 172.17.0.0/16 will be sent through the VPN. Any other traffic will be handled normally by the Pix.
If your access list was "permit ip any any", then all outbound traffic would go through the VPN. With the Pix this is a problem, because the site would have no internet access unless there's a proxy server or some other way to the internet from the remote side.
The short version- split tunnel is good for site-site VPNs. You activate it by specifying only the interesting traffic in the ACL.
- Thread starter
- #6
With site-site, the security implications are minimal. Users are behind their own Pix and should be under your control. Whatever security you have for your main office internet use should be in place for the remote office as well.
The issue with client-site VPN is that end users could download something malicious or be hijacked while they're connected to the VPN.
The issue with client-site VPN is that end users could download something malicious or be hijacked while they're connected to the VPN.
- Thread starter
- #8
Right now it looks like I have everything going through the VPN to the Main_Office PIX. Of course in the lab the remote setup could not get to the internet anyway.
access-list inside_outbound_nat0_acl permit ip any any
access-list outside_cryptomap_20 permit ip any any
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 0 0.0.0.0 0.0.0.0 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 Outside_Interface 1
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer Main_Office_Outside_IP
crypto map outside_map 20 set transform-set myset
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address Main_Office netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
It will be at the remote site tommorrow so will I only need to change this line ?
access-list outside_cryptomap_20 permit ip any any
to
access-list outside_cryptomap_20 permit ip remote_Inside_IPs Main_Office_Inside_IPs
access-list inside_outbound_nat0_acl permit ip any any
access-list outside_cryptomap_20 permit ip any any
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 0 0.0.0.0 0.0.0.0 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 Outside_Interface 1
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer Main_Office_Outside_IP
crypto map outside_map 20 set transform-set myset
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address Main_Office netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
It will be at the remote site tommorrow so will I only need to change this line ?
access-list outside_cryptomap_20 permit ip any any
to
access-list outside_cryptomap_20 permit ip remote_Inside_IPs Main_Office_Inside_IPs
That should do it for split tunnel.
One other thing: change your inside_outbound_nat0_acl. Right now there is no NAT occurring, which is only going to work if your remote site uses public IP addresses for its internal hosts. Most places don't, so you probably want to use a global address for them to access the Internet.
global (outside) 1 [interface | ip address]
nat (inside) 1 0 0 0 0
nat (inside) 0 access-list outside_cryptomap_20
This will provide NAT/PAT for traffic which is not going through the tunnel.
One other thing: change your inside_outbound_nat0_acl. Right now there is no NAT occurring, which is only going to work if your remote site uses public IP addresses for its internal hosts. Most places don't, so you probably want to use a global address for them to access the Internet.
global (outside) 1 [interface | ip address]
nat (inside) 1 0 0 0 0
nat (inside) 0 access-list outside_cryptomap_20
This will provide NAT/PAT for traffic which is not going through the tunnel.
- Thread starter
- #10
- Status
Similar threads
- Locked
- Question
- Locked
- Question
- Locked
- Question