Question

Locked

PIX split tunneling & group policy

By mvhurley ·
I?m working with a PIX (V7.2 code) that is set up to only do IPSec connections via the internet. I am trying to add the ability to make unencrypted non IPSec connections to the internet.

In a previous forum post someone suggested I should do split-tunneling. I looked at some Cisco docs but I am haveing a hard time grasping the group policy stuff.

Below is my existing IPSec VPN config.

Can someone give me an example of how to do the split-tunneling/group policy configs as it relates to my situation.

Thanks

Michael


interface Ethernet0
description to the outside
nameif outside
security-level 0
ip address 2.100.211.40 255.255.255.0
ospf cost 10
!
interface Ethernet1
description internal office
nameif internal_net
security-level 100
ip address 10.11.28.100 255.255.255.0
ospf cost 10


object-group network CoLo
network-object 10.0.10.0 255.255.255.0
network-object 10.0.20.0 255.255.255.0

access-list outside_20_cryptomap extended permit ip 10.11.28.0 255.255.255.0 object-group CoLo
access-list outside_nat0_outbound extended permit ip 10.11.28.0 255.255.255.0 object-group CoLo

access-list outside_access_in extended permit ip any 2.100.211.40 255.255.255.252 log
access-list outside_access_in extended permit icmp 10.0.10.0 255.255.255.0 10.11.28.0 255.255.255.0 echo-reply log
access-list outside_access_in extended permit icmp 10.0.20.0 255.255.255.0 10.11.28.0 255.255.255.0 echo-reply log
access-list outside_access_in extended permit tcp 10.0.20.0 255.255.255.0 10.11.28.0 255.255.255.0 eq smtp log
access-list outside_access_in extended permit tcp object-group CoLo 10.11.28.0 255.255.255.0 eq 1111 log

access-list internal_net_access_in extended permit ip 10.11.28.0 255.255.255.0 object-group CoLo

nat (outside) 0 access-list outside_nat0_outbound

route outside 0.0.0.0 0.0.0.0 2.100.211.1 1

no sysopt connection permit-vpn

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 20 match address outside_20_cryptomap
crypto map outside_map 20 set peer 6.45.82.108
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group 6.45.82.108 type ipsec-l2l
tunnel-group 6.45.82.108 ipsec-attributes
pre-shared-key *

This conversation is currently closed to new comments.

2 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Answers

Share your knowledge
Back to Networks Forum
2 total posts (Page 1 of 1)  

Related Discussions

Related Forums