A Step Beyond Split-Tunneling between VPN Client and PIX

jeff.christensen · ‎06-03-2003

I am using the VPN Client 3.6.4A to connect to a PIX running 6.2(2). I have split-tunneling enabled in my 'vpngroup' settings on the PIX to restrict access on the VPN client to only a small subnet of my internal network instead of allowing access to the entire internal network. But then by doing this, I am allowing the client to connect to other sites on the Internet at the same time as they are connected to my internal network (split-tunneling).

Is there a way in this senario to allow access to only a certain subnet of my internal network via the VPN client and not allow access to the Internet (split-tunneling) at the same time?

Thanks,

Jeff

gfullage · ‎06-05-2003

Yeah, just define the traffic in your nat 0 ACL. The nat 0 ACL defines the traffic that won't be NAT'd on the return path, you'll probably just have "permit all IP from your internal network to your VPN pool of addresses". A good way to filter out what people can get to is to make this ACL more restrictive. If a user tries to go to something that isn't in the nat 0 ACL, they'll be able to send a packet to whatever host it is, but the return packet will be NAT'd and then not match the crypto ACL and the return packet will be dropped.

So, turn off split tunnelling and let's say you only want users to get to 10.1.1.1 and 10.1.1.2 on your internal network, you would do:

> access-list nonat permit ip host 10.1.1.1 192.168.1.0 255.255.255.0

> access-list nonat permit ip host 10.1.1.2 192.168.1.0 255.255.255.0

> nat (inside) 0 access-list nonat

where 192.168.1.0 is your VPN pool of IP addresses. Anything from say, 10.1.1.3 will be NAT'd on its way back to the VPN client, won't be encrypted and therefore dropped.

jeff.christensen · ‎06-06-2003

Excellent! That will work!

Thanks for the response.