Re: [fw-wiz] PIX split tunneling

From: John Adams (jna@retina.net)
Date: 01/29/03


From: John Adams <jna@retina.net>
To: Malte von dem Hagen <DocValde@gmx.de>
Date: Wed Jan 29 02:13:01 2003

On Wed, 29 Jan 2003, Malte von dem Hagen wrote:

> Hi there,
>
> what we want to setup is a VPN from Cisco VPN Client to a Cisco PIX 525
> including split tunneling, in order to split up the outgoing client
> traffic - the packets destinated to the secured network via the vpn
> tunnel, all the others through the default gateway. This should be
> confed at the pix and not at the VPN client in order to prevent user
> manipulation of these things.

Do you -really- want to have split tunnelling enabled? It's a bad idea.

If someone runs the Cisco VPN client and the machine is penetrated from
another user on the Internet, you've now given the cracker direct access
to your network.

Also, split tunneling is configured in the VPN client, not on the Pix
itself. You configure it, and then lock down the configuration so your
users cannot modify the configuration.

--john

-- 
J. Adams					http://www.retina.net/~jna
The secret of knowing where you are, is knowing what time it is. -- Anonmyous


Relevant Pages

  • Re: Cico 800 (836) VPN to Internet NAT
    ... I have this cisco 836 providing NAT for all the internal networks. ... Router and VPN Client for Public Internet on a Stick Configuration ... I also wanted to avoid using the Cisco VPN client. ... It can also be used to open a session (to be exhaustive, there might be means to open a session with pptp as well, therefore you could think of launching an open session batch under 2K or XP) ...
    (comp.dcom.sys.cisco)
  • VPN Client not connecting....
    ... Laptop:WIN XP sp 2 Cisco VPN client V3.5 ... I've snipped the log of information that isn't needed, it shows that the connection was made, but an error prevented the VPN from staying up. ... The Client was unable to enable the Virtual Adapter because it could not set the IP configuration into the registry. ...
    (comp.dcom.sys.cisco)
  • Re: Cisco VPN - Keeping it IPSEC only or using PPTP
    ... > We have millions of users using Microsoft VPN client out there. ... > VPN server and password would be security boundary there. ... > disadvantage when compared to the specific Cisco VPN client, ...
    (microsoft.public.security)
  • Re: [fw-wiz] Cisco VPN client behind a Netscreen
    ... >it that use a Cisco VPN client to connect to a Cisco Pix which I ... Their VPN client is not functioning properly. ... You need a NAT-T enabled IPSec to establish a tunnel trough a NAT device. ... Network Security Manager ...
    (Firewall-Wizards)
  • Re: Cisco VPN Client (WAS: Re: [opensuse] Re: Checkinstall dropped from Opensuse )
    ... reasons I use suse -- almost everything imaginable is available ... I'd like to use the Cisco vpn client to work from home ... VPN client is tied into the kernel version. ...
    (SuSE)