RE: [fw-wiz] Pix VPN endpoint and split-tunnel

From: Alan Holmes (aholmes_at_jrholmes.com)
Date: 10/14/05

  • Next message: Victor Williams: "Re: [fw-wiz] Pix VPN endpoint and split-tunnel" 
    To: "'Hughes, Chris'" <Chris.Hughes@thalescomminc.com>, <firewall-wizards@honor.icsalabs.com>
Date: Thu, 13 Oct 2005 19:52:05 -0500

    The 7.0 PIX code supports forwarding VPN traffic out the same interface that
    it arrived on, spoke -to -spoke routing. It also supports split-tunneling by
    forwarding clear-text traffic out the Internet after applying firewall
    rules.

    I think the command is something like same-security-interface
    intra-interface. I haven't configured it yet. I expect to receive a couple
    ASAs in the next couple weeks and am looking forward to testing this.

    Alan

    -----Original Message-----
    From: firewall-wizards-admin@honor.icsalabs.com
    [mailto:firewall-wizards-admin@honor.icsalabs.com] On Behalf Of Hughes,
    Chris
    Sent: Wednesday, October 12, 2005 10:24 AM
    To: Paul Melson; firewall-wizards@honor.icsalabs.com
    Subject: RE: [fw-wiz] Pix VPN endpoint and split-tunnel

    That's pretty much what I read. I thought they may have provided a fix by
    now. As for the workarounds, this is for a business partner network and
    I've already presented them with the "spend" option and they don't want to.

    Another reply I got here from Simon expressed the possibility that PIX 7.x
    supports this. (split horizon?)

    Anybody?

    - Chris

    -----Original Message-----
    From: Paul Melson [mailto:pmelson@gmail.com]
    Sent: Wednesday, October 12, 2005 10:45 AM
    To: Hughes, Chris; firewall-wizards@honor.icsalabs.com
    Subject: RE: [fw-wiz] Pix VPN endpoint and split-tunnel

    -----Original Message-----
    Subject: [fw-wiz] Pix VPN endpoint and split-tunnel

    > I am trying to configure a cisco pix as a vpn endpoint for the cisco
    vpn
    client and
    > would like to force the client to use the corporate network for
    internet
    access. I
    > don't want to allow split-tunnel. I cant find any info on how to do
    this.
    Is split
    > tunnel the only way to give a vpn client internet access once they are
    connected?

    The short answer is yes. PIX-fu rule #1: the PIX is not a router. It can't
    take traffic that arrives on one interface and pass it back out that same
    interface, even when the traffic arrives via VPN tunnel. That said, you can
    sort of solve this problem by having the clients use a proxy server while
    connected via full tunnel. There may or may not be an elegant way to
    automate this for your road warriors, but this would really be independent
    of anything the PIX or VPN client do. (Think login scripts, Group Policy,
    etc.)

    If it's a big enough issue that you're willing to spend time and resources
    on it, I would recommend looking at the VPN3K concentrators (or ASA 5500?).
    They can do exactly what you're asking for, plus they possess a number of
    other features for managing VPN client users that the PIX doesn't have.
    (Like dynamic VPN profile assignment via RADIUS.)

    PaulM

    This email and any files transmitted with it are confidential and are
    intended solely for the use of the individual or entity to whom they are
    addressed. This communication represents the originator's personal views and
    opinions, which do not necessarily reflect those of Thales Communications,
    Inc. If you are not the original recipient or the person responsible for
    delivering the email to the intended recipient, be advised that you have
    received this email in error, and that any use, dissemination, forwarding,
    printing, or copying of this email is strictly prohibited. If you received
    this email in error, please immediately notify
    Administrator2@Thalescomminc.com.

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  • Next message: Victor Williams: "Re: [fw-wiz] Pix VPN endpoint and split-tunnel"

    Relevant Pages

    • RE: [fw-wiz] Pix VPN endpoint and split-tunnel
      ... Its much cheaper than an ASA, can hang off another interface, etc. ... > Another reply I got here from Simon expressed the possibility that PIX ... PIX 7.0 supports hub and spoke VPN routing, but only hub and spoke; ... > of anything the PIX or VPN client do. ...
      (Firewall-Wizards)
    • Re: PIX to PIX VPN problem
      ... I am trying to establish a VPN tunnel between 2 PIX 506E's. ... Crypto map tag: CRYPTO_MAP, local addr. ... fixup protocol dns maximum-length 700 ...
      (comp.dcom.sys.cisco)
    • [fw-wiz] Pix 501 & 506 PixOS 7.0 compatability
      ... Pix hardware? ... I was a Beta tester for 7.0 when it ... >>I am trying to configure a cisco pix as a vpn endpoint for the cisco vpn ... >of anything the PIX or VPN client do. ...
      (Firewall-Wizards)
    • Re: VPN Assistance
      ... This will expose port 1723 on th Pix to only these ... Glad it's working - now try to convince the client that using the Cisco ... client is more secure than using PPTP. ... IPSec VPN ...
      (microsoft.public.windows.server.sbs)
    • VPN - Cisco PIX to Checkpoing FW-1 troubleshooting
      ... I was trying to establish VPN between a pix and a checkpoint. ... isakmp policy 10 authentication pre-share ...
      (comp.security.firewalls)