Firewall Wizards mailing list archives
Re: Pix VPN endpoint and split-tunnel
From: Jason Ostrom <justiceguy () pobox com>
Date: Fri, 14 Oct 2005 19:10:22 -0500
If you are using PIX OS 7.0, it does allow hairpinning, which is to forward the packet back out the same interface it was received. And stated another way, yes, it supports non-split tunneling in remote access IPSec environments. See here:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_data_sheet0900aecd80225ae1.htmlIf you are running PIX OS 6.3.(x), it is a correct statement that you can't hairpin. But it can be done in another way. The the only way to do this is to have two outside interfaces on the PIX. One Outside interface terminates the remote access IPSec clients, and the other is for the connection to go out public network. This works, absolutely. If the IP subnet provided by the ISP is a /28, you can do a /29 on one interface and /29 on the other.
All the best, Jason Ostrom Hughes, Chris wrote:
That's pretty much what I read. I thought they may have provided a fix by now. As for the workarounds, this is for a business partner network and I've already presented them with the "spend" option and they don't want to. Another reply I got here from Simon expressed the possibility that PIX 7.x supports this. (split horizon?) Anybody?- Chris-----Original Message-----From: Paul Melson [mailto:pmelson () gmail com] Sent: Wednesday, October 12, 2005 10:45 AMTo: Hughes, Chris; firewall-wizards () honor icsalabs com Subject: RE: [fw-wiz] Pix VPN endpoint and split-tunnel -----Original Message----- Subject: [fw-wiz] Pix VPN endpoint and split-tunnelI am trying to configure a cisco pix as a vpn endpoint for the ciscovpnclient andwould like to force the client to use the corporate network forinternetaccess. Idon't want to allow split-tunnel. I cant find any info on how to dothis.Is splittunnel the only way to give a vpn client internet access once they areconnected? The short answer is yes. PIX-fu rule #1: the PIX is not a router. It can't take traffic that arrives on one interface and pass it back out that same interface, even when the traffic arrives via VPN tunnel. That said, you can sort of solve this problem by having the clients use a proxy server while connected via full tunnel. There may or may not be an elegant way to automate this for your road warriors, but this would really be independent of anything the PIX or VPN client do. (Think login scripts, Group Policy, etc.) If it's a big enough issue that you're willing to spend time and resources on it, I would recommend looking at the VPN3K concentrators (or ASA 5500?). They can do exactly what you're asking for, plus they possess a number of other features for managing VPN client users that the PIX doesn't have. (Like dynamic VPN profile assignment via RADIUS.) PaulM This email and any files transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. This communication represents the originator's personal views and opinions, which do not necessarily reflect those of Thales Communications, Inc. If you are not the original recipient or the person responsible for delivering the email to the intended recipient, be advised that you have received this email in error, and that any use, dissemination, forwarding, printing, or copying of this email is strictly prohibited. If you received this email in error, please immediately notify Administrator2 () Thalescomminc com. _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: Pix VPN endpoint and split-tunnel, (continued)
- RE: Pix VPN endpoint and split-tunnel Paul Melson (Oct 13)
- Re: Pix VPN endpoint and split-tunnel Joe Dollard (Oct 19)
- Pix 501 & 506 PixOS 7.0 compatability Jimmy Sadri (Oct 26)
- RE: Pix 501 & 506 PixOS 7.0 compatability Paul Melson (Oct 31)
- RE: Pix 501 & 506 PixOS 7.0 compatability Alan Holmes (Oct 31)
- Re: Pix VPN endpoint and split-tunnel Joe Dollard (Oct 19)
- Re: Pix VPN endpoint and split-tunnel Greg Spath (Oct 26)
- RE: Pix VPN endpoint and split-tunnel Paul Melson (Oct 31)
- RE: Pix VPN endpoint and split-tunnel Paul Melson (Oct 13)
- Re: Pix VPN endpoint and split-tunnel Paul Pershing (Oct 20)
- RE: Pix VPN endpoint and split-tunnel Hughes, Chris (Oct 13)
- RE: Pix VPN endpoint and split-tunnel Alan Holmes (Oct 18)
- Re: Pix VPN endpoint and split-tunnel Jason Ostrom (Oct 20)
- RE: Pix VPN endpoint and split-tunnel Charlie Winckless (Oct 26)
- RE: Pix VPN endpoint and split-tunnel Brian Loe (Oct 31)
- RE: Pix VPN endpoint and split-tunnel Paul Melson (Oct 13)
- Re: Pix VPN endpoint and split-tunnel Victor Williams (Oct 18)
- Re: Pix VPN endpoint and split-tunnel Josh Welch (Oct 19)
- RE: Pix VPN endpoint and split-tunnel Paul Melson (Oct 18)
- Re: Pix VPN endpoint and split-tunnel Josh Welch (Oct 18)