[fw-wiz] L2TP & Split Tunnel -



Hello,
This is more of a conversation, looking for input on
some issues that have come up while trying to get L2TP
IPSEC in place.

The PIX in question (Pix 515 ver 6.3) has been running
a VPN in tunnel mode that allowed cisco VPN clients to
connect. However, a change in the network layout has
the PIX outside interface IP address change to a
private address. A Load balancer now sits infront of
the PIX. From my reading, i had to change my VPN from
tunnel to transport mode. Since the VPN call would be
made to the Load balancer interface, which would then
NAT to the Outside PIX interface. This NAT process
would break IPSEC Transport, and tunnel is what i went
with. In so far could someone please tell me if this
decision was correct? As the direction i took led me
to the next question:

L2TP Transport mode is what i have now deployed in my
test environment. Works fine. Except for Split
tunneling. L2TP does not support split tunneling. This
is what i have read so far and i could be wrong. But
so far it does not suport split tunneling. I thus have
2 questions as regards split tunneling:
What are the thoughts on split tunneling and the
dangers it poses to a network when enabled, And are
there any work arounds to allowing clients connected
to the VPN via L2TP access to the Internet?
many thanks for your time.
.a



____________________________________________________________________________________
Tonight's top picks. What will you watch tonight? Preview the hottest shows on Yahoo! TV.
http://tv.yahoo.com/

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards



Relevant Pages

  • RE: [fw-wiz] PIX split tunneling
    ... Split tunneling is an excellent option for saving bandwidth and SA's on your ... To use a VPN the user would need access to the internet ( ... on a public network then if they change the config then they change it. ... If your users are inside the PIX then I don't understand the question. ...
    (Firewall-Wizards)
  • Win2K3 L2TP VPN server behind Cisco PIX firewall - Help!
    ... I am trying to setup a Windows 2003 L2TP VPN gateway behind a Cisco PIX ... separate path past our PIX firewall by dual-porting the VPN server across the ... access-list outside_access_in remark permit isakmp from any to any ...
    (microsoft.public.windows.server.networking)
  • Re: Unable To Print While Connected Via VPN
    ... this is something that you would have to configure on the PIX and ... minimize the risk associated with using split tunneling. ... "Ryan Hanisco" wrote in message ... > it may just be cheaper to get him a cheap printer he can keep locally ...
    (microsoft.public.win2000.networking)
  • Minimum requirements for IPSec over L2TP - PIX.
    ... PIX should not be able to manage that kind of encapsulation and I'm looking for the cheapest solution to build the tunnel. ... Moreover is it possible to split the de-encapsulation process by two and let the PIX decrypt the IPsec and forward the L2TP packets to another device that will de-encapsulate them? ...
    (comp.dcom.sys.cisco)
  • Re: L2TP via PIX
    ... i'm trying to use the L2TP ports for VPN ... the PPTP ports are working fine, and i can L2TP connect, but only inside the ... PIX firewall ...
    (microsoft.public.win2000.security)