Re: [fw-wiz] Pix VPN endpoint and split-tunnel

From: Joe Dollard (joed_at_devel.livenote.com)
Date: 10/14/05

  • Next message: Jason Ostrom: "Re: [fw-wiz] Pix VPN endpoint and split-tunnel"
    To: Paul Melson <pmelson@gmail.com>
    Date: Fri, 14 Oct 2005 10:52:20 +1000
    
    

    Paul Melson wrote:

    >-----Original Message-----
    >Subject: [fw-wiz] Pix VPN endpoint and split-tunnel
    >
    >
    >
    >>I am trying to configure a cisco pix as a vpn endpoint for the cisco vpn
    >>
    >>
    >client and
    >
    >
    >>would like to force the client to use the corporate network for internet
    >>
    >>
    >access. I
    >
    >
    >>don't want to allow split-tunnel. I cant find any info on how to do this.
    >>
    >>
    >Is split
    >
    >
    >>tunnel the only way to give a vpn client internet access once they are
    >>
    >>
    >connected?
    >
    >The short answer is yes. PIX-fu rule #1: the PIX is not a router. It can't
    >take traffic that arrives on one interface and pass it back out that same
    >interface, even when the traffic arrives via VPN tunnel. That said, you can
    >sort of solve this problem by having the clients use a proxy server while
    >connected via full tunnel. There may or may not be an elegant way to
    >automate this for your road warriors, but this would really be independent
    >of anything the PIX or VPN client do. (Think login scripts, Group Policy,
    >etc.)
    >
    >
    While I haven't tried this yet, it's my understanding that with PIX 7.0
    this is possible to do with the same-security-traffic command.
    According to the PIX documentation
    (http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_70/cref_txt/s.htm#wp2668461)
    this allows you to "permit communication between interfaces with equal
    security levels".

    Regards,
    Joe

    >If it's a big enough issue that you're willing to spend time and resources
    >on it, I would recommend looking at the VPN3K concentrators (or ASA 5500?).
    >They can do exactly what you're asking for, plus they possess a number of
    >other features for managing VPN client users that the PIX doesn't have.
    >(Like dynamic VPN profile assignment via RADIUS.)
    >
    >PaulM
    >
    >
    >_______________________________________________
    >firewall-wizards mailing list
    >firewall-wizards@honor.icsalabs.com
    >http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    >
    >!DSPAM:434ef8c7629211057510504!
    >
    >
    >
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Jason Ostrom: "Re: [fw-wiz] Pix VPN endpoint and split-tunnel"

    Relevant Pages

    • [NEWS] Cisco VPN 5000 Client Multiple Vulnerabilities
      ... Multiple vulnerabilities exist in the Cisco Virtual Private Network (VPN) ... 5000 Client software. ... These vulnerabilities are documented as Cisco bug ID ... CSCdx17109 - MAC OS VPN 5000 Client password vulnerability ...
      (Securiteam)
    • Re: VPN clients unable to connect to other resources.
      ... gateway matches the IP of the remote client, and DNS and WINS point to the ... remote (although it takes close to a minute to connect, ... This is just regular Windows VPN, ... VPN server, remote routing and access running on the SBS 2003 server ...
      (microsoft.public.windows.server.sbs)
    • RE: Slow VPN logon and Spuratic folder visibility
      ... I understand that the remote VPN client ... network configuration. ... the VPN client can access SBS fine? ... Slow VPN logon and Spuratic folder visibility ...
      (microsoft.public.windows.server.sbs)
    • RE: VPN timeouts
      ... I do not use ISA & was wondering if there is a configurable option on the ... You remote clients VPN connection will timeout while trying to connect SBS ... between remote client and SBS server which caused by lack of network ...
      (microsoft.public.windows.server.sbs)
    • Re: Win2k VPN Client doees work. Winxp Client does?
      ... I have put both the client and the server on the same network as the ... I can not logon to your server and troubleshoot the issue. ... This newsgroup only focuses on SBS technical issues. ... | Subject: Re: Win2k VPN Client doees work. ...
      (microsoft.public.windows.server.sbs)