Firewall Wizards mailing list archives
Re: Pix VPN endpoint and split-tunnel
From: Greg Spath <gkspath () armstrong com>
Date: Mon, 17 Oct 2005 16:31:37 -0400
On Wed, 12 Oct 2005 10:45:10 -0400 "Paul Melson" <pmelson () gmail com> wrote:
-----Original Message----- Subject: [fw-wiz] Pix VPN endpoint and split-tunnelI am trying to configure a cisco pix as a vpn endpoint for the cisco vpnclient andwould like to force the client to use the corporate network for internetaccess. Idon't want to allow split-tunnel. I cant find any info on how to do this.Is splittunnel the only way to give a vpn client internet access once they areconnected? The short answer is yes. PIX-fu rule #1: the PIX is not a router. It can't take traffic that arrives on one interface and pass it back out that same interface, even when the traffic arrives via VPN tunnel. That said, you can sort of solve this problem by having the clients use a proxy server while connected via full tunnel. There may or may not be an elegant way to automate this for your road warriors, but this would really be independent of anything the PIX or VPN client do. (Think login scripts, Group Policy, etc.)
Not being a PIX admin, I didn't want to jump on this thread. I know that the contivity VPN gateways/clients that we use can be configured to not allow split-tunneling, and assumed pix could do the same. Anyway, on the subject of login scripts, group policy, etc, here is what I do for my alternate PPP over SSH solution on my linux laptop. The info may or may not help, but I thought I'd share. Yes, it's pretty basic when you see it, but it took me awhile to see this rather obvious solution :) On VPN Connect: 1) create static route to remote gateway 2) remove default route 3) set new default route to internal server address (VPN endpoint, virtual address), and let that box do my routing. On Disconnect: 1) restore default gateway to original 2) remove static route to remote gateway This will route all traffic through your tunnel, but is not really a "split tunnel" because you can still hit your local subnet, and other hosts on that subnet can still reach you. That can be dealt with using firewall rules of some sort, not sure how easy that would be on a windows PC.
If it's a big enough issue that you're willing to spend time and resources on it, I would recommend looking at the VPN3K concentrators (or ASA 5500?). They can do exactly what you're asking for, plus they possess a number of other features for managing VPN client users that the PIX doesn't have. (Like dynamic VPN profile assignment via RADIUS.)
Agreed there. That is why we use Nortel contivities for our clients. The contivity is very good at providing client VPN with 2 factor auth. Good luck, -- Greg -- Greg Spath <gkspath () armstrong com> Infrastructure Security Analyst Armstrong World Industries, Inc. _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Pix VPN endpoint and split-tunnel Hughes, Chris (Oct 12)
- RE: Pix VPN endpoint and split-tunnel Paul Melson (Oct 13)
- Re: Pix VPN endpoint and split-tunnel Joe Dollard (Oct 19)
- Pix 501 & 506 PixOS 7.0 compatability Jimmy Sadri (Oct 26)
- RE: Pix 501 & 506 PixOS 7.0 compatability Paul Melson (Oct 31)
- RE: Pix 501 & 506 PixOS 7.0 compatability Alan Holmes (Oct 31)
- Re: Pix VPN endpoint and split-tunnel Joe Dollard (Oct 19)
- Re: Pix VPN endpoint and split-tunnel Greg Spath (Oct 26)
- RE: Pix VPN endpoint and split-tunnel Paul Melson (Oct 31)
- RE: Pix VPN endpoint and split-tunnel Paul Melson (Oct 13)
- Re: Pix VPN endpoint and split-tunnel Paul Pershing (Oct 20)
- <Possible follow-ups>
- RE: Pix VPN endpoint and split-tunnel Hughes, Chris (Oct 13)
- RE: Pix VPN endpoint and split-tunnel Alan Holmes (Oct 18)
- Re: Pix VPN endpoint and split-tunnel Jason Ostrom (Oct 20)
- RE: Pix VPN endpoint and split-tunnel Charlie Winckless (Oct 26)
- RE: Pix VPN endpoint and split-tunnel Brian Loe (Oct 31)
- RE: Pix VPN endpoint and split-tunnel Paul Melson (Oct 13)
- Re: Pix VPN endpoint and split-tunnel Victor Williams (Oct 18)
- Re: Pix VPN endpoint and split-tunnel Josh Welch (Oct 19)