Split Tunnel Question

the access-list for a split-tunnel needs to be written as if the source is the traffic on the PIX side, and the destination is the PC side.

Yes: it only works if the PIX proxy-arps those IPs on the inside network and has a host-specific route sending them out the interface the VPN is connected to. proxy-arp is unreliable, and proper construction of that host-specific route is too. It is usually much easier to put the VPN client addresses into a different IP range and then it all happens naturally by normal routing.

Walter,

Thanks for the quick reply. So it looks like I need to:

1. Create new VPN group
2. Make sure new group recieves different network from home office
3. New group should use home DNS/WINS
4. Create the access list for home network
5. Include the split tunnel coamnd for new VPN group.

Anything else?

Thanks again,

P.

That's probably for the best. Don't give the split tunnel to people who don't need it.

Is there a good reason that they need to use the home DNS? Your HQ is probably better protected against DNS poisoning and such. But moreso, those users are probably going to expect to resolve your internal hostnames, which you probably shouldn't publish to the outside world, so you probably want them to resolve through the HQ DNS.

Similarily, you probably need to use the HQ WINS: if you need WINS at all in your network then your users are going to expect to be talking to your inside devices, which had better not work if they are using an external WINS.

Wouldn't you also need to add nonat between the internal networks and the VPN Client pool.

Regards

Darren

This is still not working. These are the changes:

access-list vpnlist permit ip 10.1.1.0 255.255.255.0 10.31.79.0

255.255.255.0 vpngroup test split-tunnel vpnlist vpngroup test address-pool newpool vpngroup test default-domain bubba.ws vpngroup test idle-time 1800 vpngroup test password curveball ip local pool newpool 10.100.100.240-10.100.100.250

Where 10.1.1.x is the main office LAN and 10.31.79.x is the users home LAN.

I connect but no traffic goes into main office LAN. Client has no default gateway assined for the DHCP assigned (10.100.100.x) IP address.

WHats wrong?

You are using vpngroup with an 'address-pool' clause, so the link is assigned an ip in the newpool range. The destination part of your vpnlist split tunnel should reflect that range; also, as was raised by the other poster, you should make sure that your nat (inside) 0 access-list has a line the same as your vpnlist line. [Don't reuse access-lists, though: copy the line.]

OK. That did it. Many thanks especialy to Walter.

I will try and argue our point to management that this is unwanted behavior. Anyone know where I might find a list of good reasons why split-tunnel is a bad idea?

Again Thank you for all the help. I appreciate it very much.

P.

For every split tunnel you allow you have punched a wide open hole in your firewall policy, might as well just add a permit ip any any in it. Your edge is no longer protected by the corporate firewall systems and is now reliant on the security that the end user has if any at their home, starbucks, and wifi zone etc. VERY bad policy to allow split tunneling.

OK. I want to understand this.

Are we saying that the traffic to and from the VPN client from users home/remote/starbucks etc. LAN is going unencrypted to the main office? In other words plain text over the Internet?

Thanks,

P.

Not at all, got nothing to do with encryption, clear text...nothing like that at all.

1, You have your internet at your corp, your internals are protected by your firewall 2, No one from the internet can get in to your corp LAN because of that firewall. 3, You punch a couple holes in the firewall to allow VPN users to connect. Still secure, username/password/certificate/whatever protected. 4, A user without split tunnel conntects to your systems. His local internet connection is essentially terminated because your VPN policy says, hey, you can only talk to me, no one else, all traffic must be sent to me and all traffic you recieve will be from me. Still secure. 5, You allow a user to conect with a split tunnel policy. You VPN system says, hey, only send me the traffic destined for me, all other traffic use your local internet connection. What this does is let Joe Hacker come in thru the internet on to that users PC, bang, he's got a pipe right in to your corporate infrastructure.

Brian,

Thanks for the explination. That is sure enough worrisome by itself. I guess we will need write a contract that that says home users who use the corporate VPN MUST have a firewall/antivirus/spyware on their home PCs and if there is a breach for lack of having said software THEY ARE RESPONISIBLE. They sign it and their manager signs it.

Cant really do much else I guess.

Gracias,

P.

I never caught the begining of this thread....Is there a business need that you need to give them split-tunneling? If not, tough cookies for the end user. IMHO split-tunneling should never be allowed. I discourage all of my customers from using it. If there is a need for internet access while VPN'd I push the customer to buy a concentrator which will route the traffic while still securing the edge. The concentrators are a very cheap way of maintaining that security on the edge. List on a 3005 is 2995.00 I have also heard rumor that you can do this with Pix 7 by using the same-interface commands. I have not had the time to test this yet, so not sure if it works, definatley worth looking in to tho.

-Brian

-Brian

Hi Brian,

The only business need is convenience (printing, shares, etc) The other thing going on is managements misunderstanding that something must be BROKE if they cant access both LANs while connected to the PIX via VPN Client. I have worked with concentrators at other jobs and they are great I agree, but this company is private so getting them to spend on security is a waste of time. In fact they see the whole IT department as a black hole. If they had their way we=B4d still be on Windows 98 with Windows 3.1

Cheers,

P=2E