RE: [fw-wiz] PIX split tunneling

From: Perrymon, Josh L. (
Date: 03/19/03

  • Next message: Perrymon, Josh L.: "RE: [fw-wiz] PIX Logging Analysis"
    From: "Perrymon, Josh L." <>
    To: 'Ben Nagy' <>, Malte von dem Hagen <>
    Date: Wed, 19 Mar 2003 15:20:51 -0600

    Hey Ben- I'm a little fuzzy also on this one.

    If your using split-tunnels with a client-to-PIX-VPN then the Split tunnel
    is setup inside the pix.

    VPNGROUP test split-tunnel access-list-101
    so on

    Access-list 101 permit IP xxx.xx.xx.xx xx.xx.xx.xx xx.xx.xx.xx xx.xx.xx.xx

    The access list specifies the split tunnel. What to encrypt and what to send
    out the interface( default gateway ).
    Split tunneling is an excellent option for saving bandwidth and SA's on your

    The idea might have been started with the thought that if you send internet
    traffic back to the VPN you will be safe.
    This is incorrect. To use a VPN the user would need access to the internet (
    Public ). This means that the tcp/ip stack / ports are open unless
    protected. Meaning if you have 135-139 open your not safe.

    I would recommend that the users are required to run a personal firewall.
    Else you have a Secure connect to
    the core of the LAN for hackers to ride....

    Something to think about--

    Joshua Perrymon
    Network Security Consultant

    -----Original Message-----
    From: Ben Nagy []
    Sent: Wednesday, January 29, 2003 2:09 AM
    To: Malte von dem Hagen
    Subject: Re: [fw-wiz] PIX split tunneling

    Random tip:
    Search the Cisco site with Google with "my query words"

    It works better.

    As for the question, it isn't possible to stop end users on remote networks
    trying to send secure network traffic out via the Internet. It's their
    machine, they can mess with it. You can ship a preconfigured client, from
    memory, which can help with rollout issues, but if it's just a remote laptop
    on a public network then if they change the config then they change it.

    If your users are inside the PIX then I don't understand the question. All
    this fancy "split tunneling" jargon seems to mean is that you don't
    actually _need_ to tunnel all traffic. Wow. Revelation.

    If the client VPN associations are with the firewall nearest to them (in
    your network) , then you can then configure that firewall to forward the
    traffic however you like after that. It can even re-tunnel some to a remote
    network and send the rest out via the Internet.

    If the client sessions are with a remote firewall (not in your network) then
    you can't touch the data inside the sessions. You can always choose to
    forward, tunnel, or block the packets, though.

    Maybe I'm missing something.

    ----- Original Message -----
    From: "Malte von dem Hagen" <>
    To: "'Firewall Wizards ML'" <>
    Sent: Wednesday, January 29, 2003 3:08 AM
    Subject: [fw-wiz] PIX split tunneling

    > Hi there,
    > what we want to setup is a VPN from Cisco VPN Client to a Cisco PIX 525
    > including split tunneling, in order to split up the outgoing client
    > traffic - the packets destinated to the secured network via the vpn
    > tunnel, all the others through the default gateway. This should be
    > confed at the pix and not at the VPN client in order to prevent user
    > manipulation of these things.
    > Searching the web and CCO was quite frustrating since cisco has almost
    > everything provided on their websites, but to find the right documents
    > is a mess...
    > Does anybody have some clues, links, configuration examples?
    > TIA & best regards,
    > Malte von dem Hagen
    > --
    > Malte von dem Hagen
    > _______________________________________________
    > firewall-wizards mailing list

    firewall-wizards mailing list
    firewall-wizards mailing list

  • Next message: Perrymon, Josh L.: "RE: [fw-wiz] PIX Logging Analysis"

    Relevant Pages

    • PIX 515E dropping existing TCP connections
      ... I recently took over administration of a PIX 515E. ... network, and VPN to the PIX to access a private network. ... When the VPN is connected, I can SSH to hosts on the private network. ... PIX drops the connection after transferring just a few kilobytes. ...
    • Re: Split Tunneling in the Windows VPN Client???
      ... Are you sure that this is what is causing your DNS problems? ... > including local but this is how Cisco's implements their VPN client ... Home user with home network with multiple computers ... > this scenario but this is why you do not implement Split Tunneling ...
    • Re: WKS outside PIX
      ... > inside an another private and very large intranet. ... > Between this network there is a pix Firewall. ... The problem is, unless you VPN through the firewall, you'll have to make the ...
    • Re: Cisco VPN client connecting trough ISA 2004 - problem
      ... If you use the PDM to configure your PIX then there is a tick ... Clients are Cisco VPN 4.6 connecting to PIX IOS 6.3. ... My problem is that clients connectig from network behing ISA 2004 which i ... VPN client. ...
    • [fw-wiz] L2TP & Split Tunnel -
      ... some issues that have come up while trying to get L2TP ... The PIX in question has been running ... a VPN in tunnel mode that allowed cisco VPN clients to ... L2TP does not support split tunneling. ...