Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
744
Views
0
Helpful
5
Replies

Split Tunneling Doesn't work!

wraights
Level 1
Level 1

‎05-30-2002 11:14 AM - edited ‎03-08-2019 10:48 PM

Hello!

I have a PIX 515 with 6.1(1) on it.

When I load the newest client on my PC @ home, I cannot surf the web at the same time as being connected through the VPN. I have a cable modem.

I figured it had something to do with split tunneling.

vpngroup cottageworker address-pool clientpool

vpngroup cottageworker idle-time 28800

vpngroup cottageworker split-tunnel 105

here is what the access-list looks like:

access-list 105 permit tcp any any

access-list 105 permit icmp any any

access-list 105 permit udp any any

access-list 105 permit 80 any any

access-list 105 permit ip any any

SHOULDN'T IT WORK? I know that access-list is a little open but I wanted to at least get something going...

Notice also:

nat (inside) 0 access-list 105

I appreciate your help! What is wrong with what I have done? I still can't surf and VPN to my company.

Labels:
0 Helpful
5 Replies 5

srittenberg
Level 1
Level 1

‎05-30-2002 11:30 AM

Your firewall is wide open with this config. The defined interersting traffic is too much. I assume you have the vpngroup cotageworker password xxxx statement setup on your config? I do not see anything wrong with the config other than there is too much interesting traffic and your firewall is not secure (of course, this is based on if you have the correct isakmp policy and crypto map; and the routing setup correctly).

0 Helpful

2d-ruttino
Level 1
Level 1
In response to srittenberg

‎05-30-2002 12:34 PM

I agree. Right now everything is defined as interesting so the VPN client will encrypt all traffic. If you are more specific the client will be able to identify what NOT to encrypt.

0 Helpful

mike-greene
Level 4
Level 4
In response to 2d-ruttino

‎05-30-2002 02:04 PM

Hi, I put a config like this on a PIX 520 and it works good. Not as good as a 3005 does though....

access-list nonat permit ip 10.0.0.0 255.255.255.0 172.16.254.0 55.255.255.0

access-list split permit ip 10.0.0.0 255.255.255.0 172.16.254.0 255.255.255.0

!

nat (inside) 0 access-list nonat

!

ip local pool vpn_pool 172.16.254.5-172.16.254.100

!

sysopt connection permit-ipsec

sysopt ipsec pl-compatible

crypto ipsec transform-set config esp-des esp-md5-hmac

crypto dynamic-map dynmap 10 set transform-set config

crypto map vpnmap 10 ipsec-isakmp dynamic dynmap

crypto map vpnmap client configuration address initiate

crypto map vpnmap client configuration address respond

crypto map vpnmap interface outside

!

isakmp enable outside

isakmp key ******** address 0.0.0.0 netmask 0.0.0.0

isakmp identity address

isakmp client configuration address-pool local vpn_pool outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 1

isakmp policy 10 lifetime 7200

!

vpngroup config address-pool vpn_pool

vpngroup config dns-server 10.0.0.1

vpngroup config wins-server 10.0.0.2

vpngroup config default-domain domain.com

vpngroup config split-tunnel split

vpngroup config idle-time 86400

vpngroup config password ********

Hope this helps.

0 Helpful

mike-greene
Level 4
Level 4
In response to mike-greene

‎05-31-2002 06:19 AM

Interesting traffic, in this case is the information that is shot to your vpn client from the split-tunnel config in the vpngroup. In your first post, your telling the client to encrypt ALL ip (TCP,UDP). Now when you try to surf the web, your web traffic gets encrypted and goes through the vpn tunnel to the PIX. Packets coming in one interface on a PIX, can not turn around and go out the same so your web traffic is dropped. Now, lets say your inside network is 192.168.1.0, and your vpn address pool is 172.16.1.0. You would setup your split-tunnel access to say, anything that is heading from 172.16.1.0, going to 192.168.1.0 encrypt that traffic and send it across the vpn tunnel. Now when you jump on the web and go to yahoo.com, your machine does a dns lookup and finds that the ip address of that web site is 10.10.10.10, the client looks at that ip and says, I am not going to encrypt that traffic because its not in the 192.168.1.0 subnet. It then sends that traffic out your machines default gateway unencrypted and not through the vpn tunnel.

Hope that helps….

0 Helpful

wraights
Level 1
Level 1

‎05-31-2002 03:45 AM

Ummm...I think I don't understand what you all mean by "interesting traffic". Are you saying that I am telling the PIX to look at basically everything? So how do I get it not to look at everything?

How do I still surf and have my VPN connection up? Sorry...I think I am still lost!

I appreciate all of your help!

0 Helpful
Customers Also Viewed These Support Documents