RE: [fw-wiz] Pix VPN endpoint and split-tunnel
From: Charlie Winckless (cpw_at_inetx.com)
To: "Hughes, Chris" <Chris.Hughes@thalescomminc.com> Date: Mon, 17 Oct 2005 09:48:55 -0600
On Wed, 2005-10-12 at 11:23 -0400, Hughes, Chris wrote:
> That's pretty much what I read. I thought they may have provided a fix
> by now. As for the workarounds, this is for a business partner network
> and I've already presented them with the "spend" option and they don't
> want to.
This whole 'no out the same interface' game is why I really dislike
a PIX for VPN termination. Even a cheap router is a good call. (1801).
Its much cheaper than an ASA, can hang off another interface, etc.
(Of course -- I work for a Cisco partner; I'm biased. :) )
> Another reply I got here from Simon expressed the possibility that PIX
> 7.x supports this. (split horizon?)
PIX 7.0 supports hub and spoke VPN routing, but only hub and spoke; I
don't think you can generically turn around and send data UNENCRYPTED
out of the same interface it came in -- only encrypted.
> - Chris
> -----Original Message-----
> From: Paul Melson [mailto:email@example.com]
> Sent: Wednesday, October 12, 2005 10:45 AM
> To: Hughes, Chris; firstname.lastname@example.org
> Subject: RE: [fw-wiz] Pix VPN endpoint and split-tunnel
> -----Original Message-----
> Subject: [fw-wiz] Pix VPN endpoint and split-tunnel
> > I am trying to configure a cisco pix as a vpn endpoint for the cisco
> client and
> > would like to force the client to use the corporate network for
> access. I
> > don't want to allow split-tunnel. I cant find any info on how to do
> Is split
> > tunnel the only way to give a vpn client internet access once they are
> The short answer is yes. PIX-fu rule #1: the PIX is not a router. It
> take traffic that arrives on one interface and pass it back out that
> interface, even when the traffic arrives via VPN tunnel. That said, you
> sort of solve this problem by having the clients use a proxy server
> connected via full tunnel. There may or may not be an elegant way to
> automate this for your road warriors, but this would really be
> of anything the PIX or VPN client do. (Think login scripts, Group
> If it's a big enough issue that you're willing to spend time and
> on it, I would recommend looking at the VPN3K concentrators (or ASA
> They can do exactly what you're asking for, plus they possess a number
> other features for managing VPN client users that the PIX doesn't have.
> (Like dynamic VPN profile assignment via RADIUS.)
> This email and any files transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. This communication represents the originator's personal views and opinions, which do not necessarily reflect those of Thales Communications, Inc. If you are not the original recipient or the person responsible for delivering the email to the intended recipient, be advised that you have received this email in error, and that any use, dissemination, forwarding, printing, or copying of this email is strictly prohibited. If you received this email in error, please immediately notify Administrator2@Thalescomminc.com.
> firewall-wizards mailing list
-- Charlie Winckless, CCIE #7331 u: http://www.inetx.com Senior Consulting Engineer e: email@example.com Internetworking Experts p: (505) 256-9047 x 144 f: (505) 256-9091 PGP ID: 0xAB284BD0 ------------------------------------------------------------ Q: Because it reverses the logical flow of conversation. A: Why is top posting frowned upon
firewall-wizards mailing list
- application/pgp-signature attachment: This is a digitally signed message part