06-29-2010 11:31 AM
Hello,
I have production VPN tunnel between Asa 5510 (main office) and Pix 506. It's configured so all of the traffic is encrypted and travels thru the tunnel. That includes Internet traffic from remote users behind Pix. I'd like to to use split tunnel and direct Internet traffic to hit web directly from Pix instead of going thru the tunnel. How can I achieve this in a secure manner? Please see Pix current config below :
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 10baset
nameif ethernet0 outside security0
nameif ethernet1 inside security100
clock timezone EDT -5
clock summer-time EDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00
no fixup protocol dns
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
no fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
no fixup protocol tftp 69
names
access-list VPN permit ip 192.x.x.x 255.255.255.0 any
access-list LocalNet permit ip any any
pager lines 20
logging on
logging monitor debugging
logging buffered warnings
logging trap warnings
mtu outside 1500
mtu inside 1500
ip address outside 24.x.x.x 255.255.255.0
ip address inside192.x.x.x 255.255.255.0
ip audit name Outside_Attack attack action alarm drop reset
ip audit name Outside_Recon info action alarm drop reset
ip audit interface outside Outside_Recon
ip audit interface outside Outside_Attack
ip audit info action alarm
ip audit attack action alarm drop reset
ip audit signature 2000 disable
ip audit signature 2001 disable
ip audit signature 2004 disable
ip audit signature 2005 disable
ip audit signature 2150 disable
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list LocalNet
route outside 0.0.0.0 0.0.0.0 24.x.x.x
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set AMC esp-3des esp-md5-hmac
crypto map UrgentCare 10 ipsec-isakmp
crypto map UrgentCare 10 match address VPN
crypto map UrgentCare 10 set peer x.x.x.x
crypto map UrgentCare 10 set transform-set AMC
crypto map UrgentCare interface outside
isakmp enable outside
isakmp key ******** address x.x.x.x netmask 255.255.255.255
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
ssh timeout 15
console timeout 0
terminal width 80
Cryptochecksum:9701c306b05151471c437f29695ffdbd
: end
Solved! Go to Solution.
06-29-2010 12:49 PM
I would do something by changing the acl that's applied to your crypto map. You'd want to figure out what networks you want to support over the tunnel and then deny the others.
If you have:
192.168.3.0/24
192.168.4.0/24
10.10.10.0/24
172.16.0.0/16
Do something like:
access-list VPN permit ip 192.x.x.x 255.255.255.0 192.168.3.0 255.255.255.0
access-list VPN permit ip 192.x.x.x 255.255.255.0 192.168.4.0 255.255.255.0
access-list VPN permit ip 192.x.x.x 255.255.255.0 10.10.10.0 255.255.255.0
access-list VPN permit ip 192.x.x.x 255.255.255.0 172.16.0.0 255.255.0.0
Then when traffic is destined to something other than these networks, it'll go out unencrypted to the ISP instead of the tunnel.
HTH,
John
06-29-2010 12:49 PM
I would do something by changing the acl that's applied to your crypto map. You'd want to figure out what networks you want to support over the tunnel and then deny the others.
If you have:
192.168.3.0/24
192.168.4.0/24
10.10.10.0/24
172.16.0.0/16
Do something like:
access-list VPN permit ip 192.x.x.x 255.255.255.0 192.168.3.0 255.255.255.0
access-list VPN permit ip 192.x.x.x 255.255.255.0 192.168.4.0 255.255.255.0
access-list VPN permit ip 192.x.x.x 255.255.255.0 10.10.10.0 255.255.255.0
access-list VPN permit ip 192.x.x.x 255.255.255.0 172.16.0.0 255.255.0.0
Then when traffic is destined to something other than these networks, it'll go out unencrypted to the ISP instead of the tunnel.
HTH,
John
08-25-2010 07:15 AM
Thank you John.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide