RE: [fw-wiz] Pix VPN endpoint and split-tunnel

From: Charlie Winckless (
Date: 10/17/05

  • Next message: Greg Spath: "Re: [fw-wiz] Pix VPN endpoint and split-tunnel"
    To: "Hughes, Chris" <>
    Date: Mon, 17 Oct 2005 09:48:55 -0600

    On Wed, 2005-10-12 at 11:23 -0400, Hughes, Chris wrote:
    > That's pretty much what I read. I thought they may have provided a fix
    > by now. As for the workarounds, this is for a business partner network
    > and I've already presented them with the "spend" option and they don't
    > want to.

    This whole 'no out the same interface' game is why I really dislike
    a PIX for VPN termination. Even a cheap router is a good call. (1801).

    Its much cheaper than an ASA, can hang off another interface, etc.

    (Of course -- I work for a Cisco partner; I'm biased. :) )

    > Another reply I got here from Simon expressed the possibility that PIX
    > 7.x supports this. (split horizon?)
    PIX 7.0 supports hub and spoke VPN routing, but only hub and spoke; I
    don't think you can generically turn around and send data UNENCRYPTED
    out of the same interface it came in -- only encrypted.

    > Anybody?
    > - Chris
    > -----Original Message-----
    > From: Paul Melson []
    > Sent: Wednesday, October 12, 2005 10:45 AM
    > To: Hughes, Chris;
    > Subject: RE: [fw-wiz] Pix VPN endpoint and split-tunnel
    > -----Original Message-----
    > Subject: [fw-wiz] Pix VPN endpoint and split-tunnel
    > > I am trying to configure a cisco pix as a vpn endpoint for the cisco
    > vpn
    > client and
    > > would like to force the client to use the corporate network for
    > internet
    > access. I
    > > don't want to allow split-tunnel. I cant find any info on how to do
    > this.
    > Is split
    > > tunnel the only way to give a vpn client internet access once they are
    > connected?
    > The short answer is yes. PIX-fu rule #1: the PIX is not a router. It
    > can't
    > take traffic that arrives on one interface and pass it back out that
    > same
    > interface, even when the traffic arrives via VPN tunnel. That said, you
    > can
    > sort of solve this problem by having the clients use a proxy server
    > while
    > connected via full tunnel. There may or may not be an elegant way to
    > automate this for your road warriors, but this would really be
    > independent
    > of anything the PIX or VPN client do. (Think login scripts, Group
    > Policy,
    > etc.)
    > If it's a big enough issue that you're willing to spend time and
    > resources
    > on it, I would recommend looking at the VPN3K concentrators (or ASA
    > 5500?).
    > They can do exactly what you're asking for, plus they possess a number
    > of
    > other features for managing VPN client users that the PIX doesn't have.
    > (Like dynamic VPN profile assignment via RADIUS.)
    > PaulM
    > This email and any files transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. This communication represents the originator's personal views and opinions, which do not necessarily reflect those of Thales Communications, Inc. If you are not the original recipient or the person responsible for delivering the email to the intended recipient, be advised that you have received this email in error, and that any use, dissemination, forwarding, printing, or copying of this email is strictly prohibited. If you received this email in error, please immediately notify
    > _______________________________________________
    > firewall-wizards mailing list

    Charlie Winckless, CCIE #7331     u:
    Senior Consulting Engineer        e:
    Internetworking Experts           p:   (505) 256-9047 x 144
                                      f:         (505) 256-9091
                                      PGP ID:        0xAB284BD0
      Q: Because it reverses the logical flow of conversation.
      A: Why is top posting frowned upon

    firewall-wizards mailing list

  • Next message: Greg Spath: "Re: [fw-wiz] Pix VPN endpoint and split-tunnel"

    Relevant Pages

    • Re: Configuring Cisco VPN Client / Windows XP
      ... Packets will use an interface based on the routing table. ... Generally speaking when the VPN is connected it will add a route to the ... flush the DNS Cache resolver to clear out the old DNS ... > cannot access the *same* pages on the computer with the VPN client ...
    • PIX 501: NAT VPN Clients to Inside?
      ... running the Cisco VPN client 4.x. ... The "Inside" interface has a public IP of, ... would appear to come from the interface IP of the pix. ... client computer connecting, getting a 192.168 address, and then it ...
    • Re: Surfing the internet WHILST using a VPN connection (PIX 513)
      ... I don't have any experience with the Cisco VPN client, ... Once on the network users wish to browse the internet. ... There is a PIX 515, and a re-spun version of that called the PIX 515E. ... a seperate physical interface that is also connected to the ISP. ...
    • Re: Pix and VPN 3030 traffic routing / redirection
      ... > Currently I have a Pix 515 serving as both a firewall and a VPN ... > Pix dmz interface network: ...
    • Re: Is a site to site VPN in this scenario possible?
      ... PIX 515 DMZ to the outside interface on our local PIX 515. ... tunnel traffic should leave source location's VPN firewall trough it's ...