05-30-2002 11:14 AM - edited 03-08-2019 10:48 PM
Hello!
I have a PIX 515 with 6.1(1) on it.
When I load the newest client on my PC @ home, I cannot surf the web at the same time as being connected through the VPN. I have a cable modem.
I figured it had something to do with split tunneling.
vpngroup cottageworker address-pool clientpool
vpngroup cottageworker idle-time 28800
vpngroup cottageworker split-tunnel 105
here is what the access-list looks like:
access-list 105 permit tcp any any
access-list 105 permit icmp any any
access-list 105 permit udp any any
access-list 105 permit 80 any any
access-list 105 permit ip any any
SHOULDN'T IT WORK? I know that access-list is a little open but I wanted to at least get something going...
Notice also:
nat (inside) 0 access-list 105
I appreciate your help! What is wrong with what I have done? I still can't surf and VPN to my company.
05-30-2002 11:30 AM
Your firewall is wide open with this config. The defined interersting traffic is too much. I assume you have the vpngroup cotageworker password xxxx statement setup on your config? I do not see anything wrong with the config other than there is too much interesting traffic and your firewall is not secure (of course, this is based on if you have the correct isakmp policy and crypto map; and the routing setup correctly).
05-30-2002 12:34 PM
I agree. Right now everything is defined as interesting so the VPN client will encrypt all traffic. If you are more specific the client will be able to identify what NOT to encrypt.
05-30-2002 02:04 PM
Hi, I put a config like this on a PIX 520 and it works good. Not as good as a 3005 does though....
access-list nonat permit ip 10.0.0.0 255.255.255.0 172.16.254.0 55.255.255.0
access-list split permit ip 10.0.0.0 255.255.255.0 172.16.254.0 255.255.255.0
!
nat (inside) 0 access-list nonat
!
ip local pool vpn_pool 172.16.254.5-172.16.254.100
!
sysopt connection permit-ipsec
sysopt ipsec pl-compatible
crypto ipsec transform-set config esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set config
crypto map vpnmap 10 ipsec-isakmp dynamic dynmap
crypto map vpnmap client configuration address initiate
crypto map vpnmap client configuration address respond
crypto map vpnmap interface outside
!
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp identity address
isakmp client configuration address-pool local vpn_pool outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 7200
!
vpngroup config address-pool vpn_pool
vpngroup config dns-server 10.0.0.1
vpngroup config wins-server 10.0.0.2
vpngroup config default-domain domain.com
vpngroup config split-tunnel split
vpngroup config idle-time 86400
vpngroup config password ********
Hope this helps.
05-31-2002 06:19 AM
Interesting traffic, in this case is the information that is shot to your vpn client from the split-tunnel config in the vpngroup. In your first post, your telling the client to encrypt ALL ip (TCP,UDP). Now when you try to surf the web, your web traffic gets encrypted and goes through the vpn tunnel to the PIX. Packets coming in one interface on a PIX, can not turn around and go out the same so your web traffic is dropped. Now, lets say your inside network is 192.168.1.0, and your vpn address pool is 172.16.1.0. You would setup your split-tunnel access to say, anything that is heading from 172.16.1.0, going to 192.168.1.0 encrypt that traffic and send it across the vpn tunnel. Now when you jump on the web and go to yahoo.com, your machine does a dns lookup and finds that the ip address of that web site is 10.10.10.10, the client looks at that ip and says, I am not going to encrypt that traffic because its not in the 192.168.1.0 subnet. It then sends that traffic out your machines default gateway unencrypted and not through the vpn tunnel.
Hope that helps .
05-31-2002 03:45 AM
Ummm...I think I don't understand what you all mean by "interesting traffic". Are you saying that I am telling the PIX to look at basically everything? So how do I get it not to look at everything?
How do I still surf and have my VPN connection up? Sorry...I think I am still lost!
I appreciate all of your help!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide