Split Tunneling is technique, which is used very often in (SSL) VPN scenario’s. The RAP-5WN access points has multiple Ethernet ports to connect different components, like workstations or printers. You can configure the usual user roles and other settings on these Ethernet ports.
You can also configure Split Tunneling per Ethernet port. When using Split Tunneling the connected components received an IP address from the company DHCP server. By using access-control lists you can specify the traffic, which is tunnel through the RAP to the central controller. Traffic, which isn’t tunneled, is NAT’ted to the local network by using the IP address of the RAP on the local network.
The configuration example below shows you how to configure Split Tunneling for an Ethernet port on a RAP-5WN. I don’t show you the provision and creation of a VAP for the remote access points. I assume that the RAP is already provisioned and currently all traffic is tunneled to the central controller.
1. The first step involves the creation of the access-control list to specify the traffic to tunnel and the traffic to bridge locally. The access-list shows that the DHCP services (udp/67 and udp/68) and traffic to the network 10.10.10.0/24 is tunnel to the central controller and all other traffic is locally bridged. This is the most important step when configuring Split Tunneling.
ip access-list session rap-split-tunnel-policy
any network 10.10.10.0 255.255.255.0 any permit
any any svc-dhcp permit
any any any route src-nat
2. Next you need to create a user role and associate the previously create access-list to the user role.
access-list session rap-split-tunnel-policy
3. The user role needs to be tied to a AAA profile.
aaa profile “rap-split-tunnel-aaa_prof”
4. The following step contains the configuration of a wired-ap-profile.. The wired-ap-profile contains the VLAN information for the connected component, the forward-mode and you can enable/disable the Ethernet port. The configured wired-ap-profile puts the client in VLAN 50, enables the port and puts the port in Split Tunnel mode.
ap wired-ap-profile “rap-split-tunnel-wired-ap_prof”
switchport access vlan 50
5. You have all the basics configured and next you need to configure the Ethernet port profile. This profile combines the AAA profile and the wired-ap-profile.
ap wired-port-profile “rap-split-tunnel-wired-port_prof”
6. The last step is to tie the wired-port-profile to the appropriate AP group. I configured a separate group for remote access points, called remote-o1. The configuration ties the wired-ap-profile to Ethernet 4 on the RAP-5WN.
You are now ready to go!!
One way to remotely access a network is using the Cisco VPN client. Nowadays more and more implementations of SSL VPN are being done and Cisco stopped their development on their VPN client and pushes their Cisco AnyConnect client.
Still the Cisco VPN client is often used to remotely gain access to a network. The Cisco VPN client supports:
The Cisco VPN client is available for download if you have a SMARTnet support contract and encryption entitlements. The client can be used in conjunction with VPN concentrators, PIX and ASA firewall and IOS routers. Below you can find a template configuration for enabling the Cisco VPN client on an IOS router (all used IP addresses and credentials are chosen randomly and don’t represent a real configuration). I used the setup from the picture below:
The configuration uses the local database to authenticate users and split-tunneling is configured to only encrypt traffic destined for the LAN network. With split-tunneling enabled you still can access all local resources and the internet.
aaa authentication login userauthen local
aaa authorization network groupauthor local
username rene privilege 15 secret 5 $1$FkgJ$u3uU0rstyeaBXswW0EIX55
crypto isakmp policy 1
crypto isakmp client configuration group booches-vpn-client
dns 192.168.1.10 192.168.1.11
crypto ipsec transform-set vpn-ts-set esp-3des esp-sha-hmac
crypto dynamic-map dynamicmap 10
set transform-set vpn-ts-set
crypto map client-vpn-map client authentication list userauthen
crypto map client-vpn-map isakmp authorization list groupauthor
crypto map client-vpn-map client configuration address initiate
crypto map client-vpn-map client configuration address respond
crypto map client-vpn-map 10 ipsec-isakmp dynamic dynamicmap
ip address 188.8.131.52 255.255.255.240
ip nat outside
crypto map client-vpn-map
ip address 192.168.1.254 255.255.255.0
ip nat inside
ip local pool vpnpool 10.10.1.1 10.10.1.254
ip nat inside source list 100 interface FastEthernet0/0 overload
access-list 100 deny ip 192.168.1.0 0.0.0.255 10.10.1.0 0.0.0.255
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 110 permit ip 192.168.1.0 0.0.0.255 10.10.1.0 0.0.0.255