Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
386
Views
0
Helpful
4
Replies

Split-Tunneling, can it be used to permit traffic to 2+ interfaces???

yeo
Level 1
Level 1

‎03-25-2003 09:18 AM - edited ‎03-09-2019 02:38 AM

I have a PIX 515 with 4 interfaces and I have to allow access to SQL servers on one interface and web servers on another interface to my devolpers from yet a third interface, the outside. Is there a way to use split tunneling to allow this or some other way? The way I see it I have to create 2 vpn's and they have to switch back and forth between the vpn's to switch to the different interfaces. Just want to know which way I can go?

Thanks ahead of time.

Labels:
0 Helpful
4 Replies 4

afakhan
Level 4
Level 4

‎03-25-2003 11:17 AM

Hi,

What I understand is that you will need to configure nat (inside) 0 and nat (dmz) 0, commands on your pix so that developers can access it from the other side of the tunnel.

Assuming that you have one server on inside, and the others in DMZ.

Thx

Afaq

0 Helpful

yeo
Level 1
Level 1
In response to afakhan

‎03-25-2003 11:50 AM

Hello,

I have made the adjustment you suggested along with adding a new access-list. I noted this in the config below. I am unsure if I have a complete setup. I inherited the setup from a contractor and am trying to augment the system to accomidate my developers. The system works great letting my remote staff connect in to the inside but now I need to get access to the 2 interfaces. I figured if I could get the current setup to work I would revert it back to the old setup and create a new vpn for my developers that allowed them access to both inside and dmz. Here is what I have so far. Let me know if you see anything glaring that I have ommited.

access-list 110 permit ip 65.167.124.128 255.255.255.128 192.168.110.0 255.255.255.0

access-list 100 permit ip 65.167.124.128 255.255.255.128 192.168.110.0 255.255.255.0

access-list 120 permit ip 65.167.124.64 255.255.255.224 192.168.110.0 255.255.255.0 (Added after last post)

nat (inside) 0 access-list 100

nat (dmz) 0 access-list 120 (added after last post)

sysopt connection permit-ipsec

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto dynamic-map dynmap 10 set transform-set myset

crypto map mymap 10 ipsec-isakmp dynamic dynmap

crypto map mymap interface outside

isakmp enable outside

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup vpn3000 address-pool vpnpool

vpngroup vpn3000 dns-server adc001

vpngroup vpn3000 default-domain yeo.org

vpngroup vpn3000 split-tunnel 110

vpngroup vpn3000 idle-time 1800

vpngroup vpn3000 password **********

0 Helpful

gfullage
Cisco Employee
Cisco Employee
In response to yeo

‎03-30-2003 08:16 PM

Close, you just have to add the DMZ network to the split-tunnel list so that the client will encrypt traffic for that network. Add:

access-list 110 permit ip 65.167.124.64 255.255.255.224 192.168.110.0 255.255.255.0

and you should be up and running.

Note that you don't have to do split tunneling for this to work. You could remove ACL 110 altogether along with the "vpngroup vpn3000 split-tunnel 110" line, all traffic will then be tunnelled which is less of a security risk and your clients would still have access to the inside and dmz subnets by virtue of the "nat 0" commands.

0 Helpful

yeo
Level 1
Level 1
In response to gfullage

‎03-31-2003 10:52 AM

Perfect. Works like a charm. Thanks for the help.

0 Helpful
Customers Also Viewed These Support Documents