Re: [fw-wiz] Pix VPN endpoint and split-tunnel
From: Joe Dollard (joed_at_devel.livenote.com)
Date: 10/14/05
- Previous message: Josh Welch: "Re: [fw-wiz] Pix VPN endpoint and split-tunnel"
- In reply to: Paul Melson: "RE: [fw-wiz] Pix VPN endpoint and split-tunnel"
- Next in thread: Jimmy Sadri: "[fw-wiz] Pix 501 & 506 PixOS 7.0 compatability"
- Reply: Jimmy Sadri: "[fw-wiz] Pix 501 & 506 PixOS 7.0 compatability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: Paul Melson <pmelson@gmail.com> Date: Fri, 14 Oct 2005 10:52:20 +1000
Paul Melson wrote:
>-----Original Message-----
>Subject: [fw-wiz] Pix VPN endpoint and split-tunnel
>
>
>
>>I am trying to configure a cisco pix as a vpn endpoint for the cisco vpn
>>
>>
>client and
>
>
>>would like to force the client to use the corporate network for internet
>>
>>
>access. I
>
>
>>don't want to allow split-tunnel. I cant find any info on how to do this.
>>
>>
>Is split
>
>
>>tunnel the only way to give a vpn client internet access once they are
>>
>>
>connected?
>
>The short answer is yes. PIX-fu rule #1: the PIX is not a router. It can't
>take traffic that arrives on one interface and pass it back out that same
>interface, even when the traffic arrives via VPN tunnel. That said, you can
>sort of solve this problem by having the clients use a proxy server while
>connected via full tunnel. There may or may not be an elegant way to
>automate this for your road warriors, but this would really be independent
>of anything the PIX or VPN client do. (Think login scripts, Group Policy,
>etc.)
>
>
While I haven't tried this yet, it's my understanding that with PIX 7.0
this is possible to do with the same-security-traffic command.
According to the PIX documentation
(http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_70/cref_txt/s.htm#wp2668461)
this allows you to "permit communication between interfaces with equal
security levels".
Regards,
Joe
>If it's a big enough issue that you're willing to spend time and resources
>on it, I would recommend looking at the VPN3K concentrators (or ASA 5500?).
>They can do exactly what you're asking for, plus they possess a number of
>other features for managing VPN client users that the PIX doesn't have.
>(Like dynamic VPN profile assignment via RADIUS.)
>
>PaulM
>
>
>_______________________________________________
>firewall-wizards mailing list
>firewall-wizards@honor.icsalabs.com
>http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
>
>!DSPAM:434ef8c7629211057510504!
>
>
>
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Josh Welch: "Re: [fw-wiz] Pix VPN endpoint and split-tunnel"
- In reply to: Paul Melson: "RE: [fw-wiz] Pix VPN endpoint and split-tunnel"
- Next in thread: Jimmy Sadri: "[fw-wiz] Pix 501 & 506 PixOS 7.0 compatability"
- Reply: Jimmy Sadri: "[fw-wiz] Pix 501 & 506 PixOS 7.0 compatability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
