RE: [fw-wiz] Pix VPN endpoint and split-tunnel

• Previous message: Bret Watson: "[fw-wiz] Rule management process"
• In reply to: Hughes, Chris: "[fw-wiz] Pix VPN endpoint and split-tunnel"
• Next in thread: Joe Dollard: "Re: [fw-wiz] Pix VPN endpoint and split-tunnel"
• Reply: Joe Dollard: "Re: [fw-wiz] Pix VPN endpoint and split-tunnel"
• Reply: Greg Spath: "Re: [fw-wiz] Pix VPN endpoint and split-tunnel"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: "'Hughes, Chris'" <Chris.Hughes@thalescomminc.com>, <firewall-wizards@honor.icsalabs.com>
Date: Wed, 12 Oct 2005 10:45:10 -0400

-----Original Message-----
Subject: [fw-wiz] Pix VPN endpoint and split-tunnel

> I am trying to configure a cisco pix as a vpn endpoint for the cisco vpn
client and
> would like to force the client to use the corporate network for internet
access. I
> don't want to allow split-tunnel. I cant find any info on how to do this.
Is split
> tunnel the only way to give a vpn client internet access once they are
connected?

The short answer is yes. PIX-fu rule #1: the PIX is not a router. It can't
take traffic that arrives on one interface and pass it back out that same
interface, even when the traffic arrives via VPN tunnel. That said, you can
sort of solve this problem by having the clients use a proxy server while
connected via full tunnel. There may or may not be an elegant way to
automate this for your road warriors, but this would really be independent
of anything the PIX or VPN client do. (Think login scripts, Group Policy,
etc.)

If it's a big enough issue that you're willing to spend time and resources
on it, I would recommend looking at the VPN3K concentrators (or ASA 5500?).
They can do exactly what you're asking for, plus they possess a number of
other features for managing VPN client users that the PIX doesn't have.
(Like dynamic VPN profile assignment via RADIUS.)

PaulM

_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

• Previous message: Bret Watson: "[fw-wiz] Rule management process"
• In reply to: Hughes, Chris: "[fw-wiz] Pix VPN endpoint and split-tunnel"
• Next in thread: Joe Dollard: "Re: [fw-wiz] Pix VPN endpoint and split-tunnel"
• Reply: Joe Dollard: "Re: [fw-wiz] Pix VPN endpoint and split-tunnel"
• Reply: Greg Spath: "Re: [fw-wiz] Pix VPN endpoint and split-tunnel"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: [fw-wiz] Pix VPN endpoint and split-tunnel ... forward the packet back out the same interface it was received. ... If you are running PIX OS 6.3., it is a correct statement that you ... >>would like to force the client to use the corporate network for ... >of anything the PIX or VPN client do. ... (Firewall-Wizards) RE: System Error 53, network path not found ... Firewall on client. ... In my case Zone Alarm Internet ... > I have managed to setup rras on my W2K3 server to be used as a vpn server ... > and use WinXP as a vpn client to test the vpn connection. ... (microsoft.public.win2000.ras_routing) Re: AT&T WiFi at McDonalds, etc ... Each session has a unique WPA encryption key. ... PPTP, L2TP, IPSec, or SSL. ... The others are very easy at the client end. ... I'll spare you my horror storied of VPN client compatibility. ... (alt.internet.wireless) SonicWall Officially drops support for Macintosh ... SonicWall is being officially dropped from my preferred ... another VPN client does not constitute a recommendation of that product. ... gateway or a client installed on a PC, Mac, etc.) will be coming from. ... (comp.security.firewalls) Re: WM5, VPN via PPTP/MPPE, and direct connection to Exchange ... As for direction connection to your Exchange server, ... NOT synchronising with a client laptop. ... Is there any way of getting the VPN client in WM5 to use MPPE? ... (microsoft.public.pocketpc.phone_edition)