Re: [fw-wiz] PIX split tunneling

From: Ben Nagy (ben@iagu.net)
Date: 01/29/03 

From: "Ben Nagy" <ben@iagu.net>
To: "Malte von dem Hagen" <DocValde@gmx.de>
Date: Wed Jan 29 09:10:03 2003

Random tip:
Search the Cisco site with Google with "my query words site:cisco.com"

It works better.

As for the question, it isn't possible to stop end users on remote networks
trying to send secure network traffic out via the Internet. It's their
machine, they can mess with it. You can ship a preconfigured client, from
memory, which can help with rollout issues, but if it's just a remote laptop
on a public network then if they change the config then they change it.

If your users are inside the PIX then I don't understand the question. All
this fancy "split tunneling" jargon seems to mean is that you don't
actually _need_ to tunnel all traffic. Wow. Revelation.

If the client VPN associations are with the firewall nearest to them (in
your network) , then you can then configure that firewall to forward the
traffic however you like after that. It can even re-tunnel some to a remote
network and send the rest out via the Internet.

If the client sessions are with a remote firewall (not in your network) then
you can't touch the data inside the sessions. You can always choose to
forward, tunnel, or block the packets, though.

Maybe I'm missing something.

----- Original Message -----
From: "Malte von dem Hagen" <DocValde@gmx.de>
To: "'Firewall Wizards ML'" <firewall-wizards@honor.icsalabs.com>
Sent: Wednesday, January 29, 2003 3:08 AM
Subject: [fw-wiz] PIX split tunneling

> Hi there,
>
> what we want to setup is a VPN from Cisco VPN Client to a Cisco PIX 525
> including split tunneling, in order to split up the outgoing client
> traffic - the packets destinated to the secured network via the vpn
> tunnel, all the others through the default gateway. This should be
> confed at the pix and not at the VPN client in order to prevent user
> manipulation of these things.
>
> Searching the web and CCO was quite frustrating since cisco has almost
> everything provided on their websites, but to find the right documents
> is a mess...
>
> Does anybody have some clues, links, configuration examples?
>
> TIA & best regards,
>
> Malte von dem Hagen
>
> --
> Malte von dem Hagen
>
> DocValde@gmx.de
> http://www.docvalde.net/
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@honor.icsalabs.com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Relevant Pages

  • [NEWS] Cisco VPN 5000 Client Multiple Vulnerabilities
    ... Multiple vulnerabilities exist in the Cisco Virtual Private Network (VPN) ... 5000 Client software. ... These vulnerabilities are documented as Cisco bug ID ... CSCdx17109 - MAC OS VPN 5000 Client password vulnerability ...
    (Securiteam)
  • RE: Slow VPN logon and Spuratic folder visibility
    ... I understand that the remote VPN client ... network configuration. ... the VPN client can access SBS fine? ... Slow VPN logon and Spuratic folder visibility ...
    (microsoft.public.windows.server.sbs)
  • Re: Outgoing VPN Error 619
    ... Outbound VPN problem: ... Q1 - is the test client configured as SecureNET? ... Q2 - what do you find in the ISA logs for your tests? ... I've checked in local network rules and I do have a rule called VPN clients ...
    (microsoft.public.isa.vpn)
  • Re: VPN issues on SBS2003 with ISA 2004 installed
    ... Based on our work above, it seems the problem in client side, so I suggest ... and then click the Network and Dial-up ... Right-click the VPN connection that you want to change, ...
    (microsoft.public.windows.server.sbs)
  • Re: VPN clients unable to connect to other resources.
    ... on the SBS 2003 server just not sure where to go for help on it. ... Next time I'm at my home PC, I'll VPN in and see what IP info I'm getting ... client PC on your LAN, you should be able to do so from a remote VPN client, ... get the network path was not found. ...
    (microsoft.public.windows.server.sbs)
Quantcast