[prev in list] [next in list] [prev in thread] [next in thread]
List: firewall-wizards
Subject: Re[2]: [fw-wiz] PIX split tunneling
From: Malte von dem Hagen <DocValde () gmx ! de>
Date: 2003-01-29 10:49:57
[Download RAW message or body]
Hallo John Adams,
am Mittwoch, 29. Januar 2003 um 04:28:33 schrieben Sie:
> On Wed, 29 Jan 2003, Malte von dem Hagen wrote:
>> Hi there,
>>
>> what we want to setup is a VPN from Cisco VPN Client to a Cisco PIX 525
>> including split tunneling, in order to split up the outgoing client
>> traffic - the packets destinated to the secured network via the vpn
>> tunnel, all the others through the default gateway. This should be
>> confed at the pix and not at the VPN client in order to prevent user
>> manipulation of these things.
> Do you -really- want to have split tunnelling enabled? It's a bad idea.
Yes, we want it! :-)
> If someone runs the Cisco VPN client and the machine is penetrated from
> another user on the Internet, you've now given the cracker direct access
> to your network.
I should have metioned it: The client PCs are not in the internet. All
that plays in our internal network. The PIX secures a zone of special
interest. We have split tunneling in mind because of performance issues:
There is not so much traffic to that secured zone, but a lot to the rest
to the corporate network. Further, the clients still need their "normal"
ip address in order to success some ACLs anywhere else in our internal
network. So, with VPN without split tunneling, the PIX would have to do
furious NATing!?
> Also, split tunneling is configured in the VPN client, not on the Pix
> itself. You configure it, and then lock down the configuration so your
> users cannot modify the configuration.
Hm, that's how i read it everywhere, too, but isn't there a possibility
to push the configuration from the pix to the client during connection
setup?
Thanks & regards,
-Malte
--
Malte von dem Hagen
DocValde@gmx.de
http://www.docvalde.net/
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic