08-09-2007 12:46 AM - edited 02-21-2020 01:38 AM
Morning All I was wondering if somebody could help me with the split-tunnel command. I am trying to allow my VPN users internet access from their own PC's while connected to VPN. I have added the split-tunnel command in the VPN config but not sure what to added in the access list. Any help would be much appreciated, here is my config:
nameif ethernet0 outside security0
nameif ethernet1 inside security100
interface ethernet0 100full
interface ethernet1 100full
ip address outside 217.34.xxx.xxx 255.255.255.240
ip address inside 10.1.1.1 255.0.0.0
route outside 0.0.0.0 0.0.0.0 217.34.xxx.xxx 1
nat (inside) 1 10.0.0.0 255.0.0.0 0 0
global (outside) 1 interface
static (inside,outside) tcp 217.34.xxx.xxx 21685 10.1.2.150 21685
static (inside,outside) tcp 217.34.xxx.xxx ftp 10.1.2.150 ftp
static (inside,outside) tcp 217.34.xxx.xxx http 10.1.1.3 http
static (inside,outside) tcp 217.34.xxx.xxx https 10.1.1.3 https
access-list 101 permit tcp any host 217.34.xxx.xxx eq ftp
access-list 101 permit tcp any host 217.34.xxx.xxx eq http
access-list 101 permit tcp any host 217.34.xxx.xxx eq https
access-list 101 permit icmp any host 217.34.xxx.xxx echo-reply
access-list 101 permit icmp any host 217.34.xxx.xxx time-exceeded
access-list 101 permit icmp any host 217.34.xxx.xxx unreachable
access-group 101 in interface outside
no fixup protocol ftp 21
no fixup protocol dns
!--- Enable logging
logging on
logging trap 4
logging host 10.1.1.3
telnet 10.0.0.0 255.0.0.0 inside
telnet 192.168.50.0 255.255.255.0 inside
http server enable
http 10.0.0.0 255.0.0.0 inside
pdm history enable
!--- SSH for use with Putty
aaa authentication ssh console LOCAL
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 5
!--- Firewall details and passwords
hostname FIREWALL
domain-name C2.local
en pass *************
pass *************
ip local pool VPN_Pool 192.168.50.1-192.168.50.254
access-list 101 permit ip 10.0.0.0 255.0.0.0 192.168.50.0 255.255.255.0
nat (inside) 0 access-list 101
!--- For Cisco VPN Client
sysopt connection permit-ipsec
crypto ipsec transform-set VPN_Trans esp-aes-256 esp-md5-hmac
crypto dynamic-map VPN_Dyn 10 set transform-set VPN_Trans
crypto map VPN_Crypto 10 ipsec-isakmp dynamic VPN_Dyn
crypto map VPN_Crypto interface outside
isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup C2_VPNGROUP address-pool VPN_Pool
vpngroup C2_VPNGROUP wins-server 10.1.1.3
vpngroup C2_VPNGROUP dns-server 10.1.1.3
vpngroup C2_VPNGROUP default-domain c2.local
vpngroup C2_VPNGROUP split-tunnel 101
vpngroup C2_VPNGROUP idle-time 1800
vpngroup C2_VPNGROUP password *************
isakmp nat-traversal 20
08-10-2007 01:02 AM
Fixed my own problem, moved the split-tunnel to its own access list and all worked fine.
access-list 102 permit ip 10.0.0.0 255.0.0.0 192.168.50.0 255.255.255.0
nat (inside) 0 access-list 102
.
.
.
.
vpngroup C2_VPNGROUP split-tunnel 102
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide