Re: Pix VPN endpoint and split-tunnel

[Greg Spath <gkspath () armstrong com>]

On Wed, 12 Oct 2005 10:45:10 -0400
"Paul Melson" <pmelson () gmail com> wrote:

> -----Original Message-----
> Subject: [fw-wiz] Pix VPN endpoint and split-tunnel
>
> > I am trying to configure a cisco pix as a vpn endpoint for the
> > cisco vpn
> client and 
> > would like to force the client to use the corporate network for
> > internet
> access.  I 
> > don't want to allow split-tunnel.  I cant find any info on how to
> > do this.
> Is split 
> > tunnel the only way to give a vpn client internet access once they
> > are
> connected?
>
> The short answer is yes.  PIX-fu rule #1: the PIX is not a router.
> It can't take traffic that arrives on one interface and pass it back
> out that same interface, even when the traffic arrives via VPN
> tunnel.  That said, you can sort of solve this problem by having the
> clients use a proxy server while connected via full tunnel.  There
> may or may not be an elegant way to automate this for your road
> warriors, but this would really be independent of anything the PIX or
> VPN client do.  (Think login scripts, Group Policy, etc.)

Not being a PIX admin, I didn't want to jump on this thread.  I know
that the contivity VPN gateways/clients that we use can be configured to
not allow split-tunneling, and assumed pix could do the same.

Anyway, on the subject of login scripts, group policy, etc, here is what
I do for my alternate PPP over SSH solution on my linux laptop. The info
may or may not help, but I thought I'd share.  Yes, it's pretty basic
when you see it, but it took me awhile to see this rather obvious
solution :)

On VPN Connect:
1) create static route to remote gateway
2) remove default route
3) set new default route to internal server address (VPN endpoint,
virtual address), and let that box do my routing.

On Disconnect:
1) restore default gateway to original
2) remove static route to remote gateway

This will route all traffic through your tunnel, but is not really a
"split tunnel" because you can still hit your local subnet, and other
hosts on that subnet can still reach you. That can be dealt with using
firewall rules of some sort, not sure how easy that would be on a
windows PC.

> If it's a big enough issue that you're willing to spend time and
> resources on it, I would recommend looking at the VPN3K concentrators
> (or ASA 5500?). They can do exactly what you're asking for, plus they
> possess a number of other features for managing VPN client users that
> the PIX doesn't have. (Like dynamic VPN profile assignment via
> RADIUS.)

Agreed there.  That is why we use Nortel contivities for our clients.
The contivity is very good at providing client VPN with 2 factor auth.

Good luck,

-- Greg

-- 
Greg Spath <gkspath () armstrong com>                        
Infrastructure Security Analyst    
Armstrong World Industries, Inc.
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards