Configuring Split Tunneling; Configuring Device Pass-Through - Cisco PIX 500 Series Configuration Manual
Security appliance command line
Hide thumbs
Also See for PIX 500 Series:
- Administration manual (653 pages) ,
- Quick start manual (72 pages) ,
- User manual (60 pages)
Table of Contents
Advertisement
Configuring Split Tunneling
Configuring Split Tunneling
Split tunneling lets a remote-access IPSec client conditionally direct packets over an IPSec tunnel in
encrypted form or to a network interface in clear text form.
The Easy VPN server pushes the split tunneling attributes from the group policy to the Easy VPN Client
for use only in the work zone. See
tunneling on the Cisco ASA 5505.
Enter the following command in global configuration mode to enable the automatic initiation of IPSec
tunnels when NEM and split tunneling are configured:
no removes the command from the running configuration.
For example:
hostname(config)# vpnclient nem-st-autoconnect
hostname(config)#
Configuring Device Pass-Through
Devices such as Cisco IP phones, wireless access points, and printers are incapable of performing
authentication. Enter the following command in global configuration mode to exempt such devices from
authentication, thereby providing network access to them, if individual user authentication is enabled:
Only the first six characters of the specific MAC address are required if you use the MAC mask
ffff.ff00.0000 to specify all devices by the same manufacturer. For example, Cisco IP phones have the
Manufacturer ID 00036b, so the following command exempts any Cisco IP phone, including Cisco IP
phones, you might add in the future:
hostname(config)# vpnclient mac-exempt 0003.6b00.0000 ffff.ff00.0000
hostname(config)#
The next example provides greater security but less flexibility because it exempts one specific Cisco IP
phone:
hostname(config)# vpnclient mac-exempt 0003.6b54.b213 ffff.ffff.ffff
hostname(config)#
Cisco Security Appliance Command Line Configuration Guide
34-8
[no] vpnclient nem-st-autoconnect
[no] vpnclient mac-exempt mac_addr_1 mac_mask_1 [mac_addr_2 mac_mask_2...mac_addr_n
mac_mask_n]
no removes the command from the running configuration.
mac_addr is the MAC address, in dotted hexadecimal notation, of the device to bypass individual
user authentication.
mac_mask is the network mask for the corresponding MAC address. A MAC mask of ffff.ff00.0000
matches all devices made by the same manufacturer. A MAC mask of ffff.ffff.ffff matches a single
device.
Chapter 34
Configuring Split-Tunneling Attributes, page 30-44
Configuring Easy VPN Services on the ASA 5505
to configure split
OL-12172-03
Advertisement
Table of Contents
Troubleshooting
