Firewall Wizards mailing list archives
Re: PIX split tunneling
From: "Ben Nagy" <ben () iagu net>
Date: Wed, 29 Jan 2003 09:08:36 +0100
Random tip: Search the Cisco site with Google with "my query words site:cisco.com" It works better. As for the question, it isn't possible to stop end users on remote networks trying to send secure network traffic out via the Internet. It's their machine, they can mess with it. You can ship a preconfigured client, from memory, which can help with rollout issues, but if it's just a remote laptop on a public network then if they change the config then they change it. If your users are inside the PIX then I don't understand the question. All this fancy "split tunneling" jargon seems to mean is that you don't actually _need_ to tunnel all traffic. Wow. Revelation. If the client VPN associations are with the firewall nearest to them (in your network) , then you can then configure that firewall to forward the traffic however you like after that. It can even re-tunnel some to a remote network and send the rest out via the Internet. If the client sessions are with a remote firewall (not in your network) then you can't touch the data inside the sessions. You can always choose to forward, tunnel, or block the packets, though. Maybe I'm missing something. ----- Original Message ----- From: "Malte von dem Hagen" <DocValde () gmx de> To: "'Firewall Wizards ML'" <firewall-wizards () honor icsalabs com> Sent: Wednesday, January 29, 2003 3:08 AM Subject: [fw-wiz] PIX split tunneling
Hi there, what we want to setup is a VPN from Cisco VPN Client to a Cisco PIX 525 including split tunneling, in order to split up the outgoing client traffic - the packets destinated to the secured network via the vpn tunnel, all the others through the default gateway. This should be confed at the pix and not at the VPN client in order to prevent user manipulation of these things. Searching the web and CCO was quite frustrating since cisco has almost everything provided on their websites, but to find the right documents is a mess... Does anybody have some clues, links, configuration examples? TIA & best regards, Malte von dem Hagen -- Malte von dem Hagen DocValde () gmx de http://www.docvalde.net/ _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- PIX split tunneling Malte von dem Hagen (Jan 28)
- Re: PIX split tunneling John Adams (Jan 28)
- Re[2]: PIX split tunneling Malte von dem Hagen (Jan 29)
- Re: PIX split tunneling Ben Nagy (Jan 29)
- Re: PIX split tunneling John Adams (Jan 28)