Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Split Tunneling

Status
Not open for further replies.
1999jd

1999jd

MIS
Aug 4, 2008
4
Working on adding a VPN to a PIX firewall and currently vpn users are only able to reach inside network places. After reviewing, it appears I need to implement split tunneling, although I do not know too much about it.

Can someone let me know if these code snippets is right to get this working using vpn client and if you can help me understand their definitions and how it works :


access-list split_tunnel_acl permit ip 192.168.122.0 255.255.255.0 192.168.123.0 255.255.255.0
vpngroup VPNGROUP split-tunnel split_tunnel_acl

Thanks in advance,

JBR
 
Sort by date Sort by votes
Example with explinations:

1. Define the Phase 1 parameters. This only needs to be setup once for multiple connections.
Example:
hostname(config)# isakmp policy 1 authentication
pre-share
hostname(config)# isakmp policy 1 encryption 3des
hostname(config)# isakmp policy 1 hash sha
hostname(config)# isakmp policy 1 group 2
hostname(config)# isakmp policy 1 lifetime 43200
hostname(config)# isakmp enable outside
hostname(config)# isakmp identity auto

“isakmp enable outside” is only required if there is a “no isakmp enable outside” command.



2. Define the IP pool. This is the range of IP addresses that will be assigned to clients. On their client pc, a second Network Adapter will be defined using the first available ip address in this range. This will be the source address for all traffic going through the tunnel.

Example:
hostname(config)# ip local pool testpool
172.30.4.0 mask 255.255.0.0

3. Define the “interesting traffic” for the client vpn split tunnel. This is not required if split tunneling will not be used. This will be the routing table that the user will receive that defines what will go through the VPN and what will be allowed over the internet in clear text. Port filtering should not be defined in this acl and should include the IP pool as the source and the specific hosts or networks that should be sent to the VPN as the destination.


Example:
access-list VPN-Split permit ip 172.30.4.0 255.255.0.0 host 172.30.5.15
access-list VPN-Split permit ip 172.30.4.0 255.255.0.0 host 172.30.5.32
etc…


4. Filtering VPN traffic. This is only needed if clients will not be allowed full access to resources.

You first need to create the access-list that the user will be restricted to.

access-list VPNRestrictedGroup01 permit tcp 172.30.4 255.255.0.0 host 172.30.5.15 eq 1433
access-list VPNRestrictedGroup01 permit tcp 172.30.4 255.255.0.0 host 172.30.5.32 eq 80


5. Then you need to create the group-policy and apply the access-list as the value for the vpn-filter and split tunnel.

group-policy RestrictedGroup01 internal
group-policy RestrictedGroup01 attributes
vpn-filter value VPNRestrictedGroup01
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN-Split
exit

The group policy for this tunnel allows you to define other attributes of the tunnel including the idle timeout (vpn-idle-timeout) , pfs, dns-server, and much more.

6. Then you need to create the tunnel-group, add its address-pool,define the preshare key, authentication, and set its default group-policy.

tunnel-group RestrictedGroupTunnel01 type ipsec-ra
tunnel-group RestrictedGroupTunnel01 general-attributes
address-pool clientvpnpool
authorization-server-group LOCAL
default-group-policy RestrictedGroup01
exit
tunnel-group RestrictedGroup01 ipsec-attributes
pre-shared-key hy2347neoxmeh8lk
exit


7. If using local authentication, you then need to create the username(s) and add the group-policy-name to group-lock & vpn-group-policy in the user’s attributes.

Username jdoe password abc123
username jdoe attributes
group-lock value RestrictedGroup01
vpn-group-policy RestrictedGroup01


8. Define crypto map. If this firewall has preexisting VPN’s (client to site or site-site) , use the crypto map already defined, but add the Client VPN settings to the end of the map by using a high line number. The dynamic crypto map allows the firewall to accept connections from unknown IP’s.

crypto ipsec transform-set ra-set esp-aes esp-sha-hmac
crypto map dynamic-map clientmap 10 set transform-set ra-set
crypto map external-map 98 ipsec-isakmp dynamic clientmap






IT Security news and information
In plain English
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

fillthy
  • Locked
  • Question
ASA 5510 Split Tunnel Nat issue Any Connect VPN Clients
Replies
2
Views
54
fillthy
fillthy
DaveSatIBP
  • Locked
  • Question
Cisco Split Tunnel SIP traffic only on edge routers
Replies
1
Views
52
intelwizrd
intelwizrd
rswift
  • Locked
  • Question
No more split tunnel 1
Replies
5
Views
66
rswift
rswift
TechJimF
  • Locked
  • Question
ASA 5505, EasyVPN, DNS with Split Tunnels
Replies
7
Views
99
TechJimF
TechJimF
jdeisenm
  • Locked
  • Question
Split DNS with ASA and L2TP
Replies
0
Views
30
jdeisenm
jdeisenm

Part and Inventory Search

Sponsor

Back
Top