[VPN] Re: PIX and Split Tunnelling
john at dndlabs.net
john at dndlabs.net
Wed Dec 18 16:37:58 EST 2002
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I'm not 100% sure about the options for VPN client on the PIX, but on
our CSVPN 3030 concentrator I can create a network list and then for
a specific group force everything across the tunnel and also allow
connectivity to this network list outside of the tunnel. Of course
this is the definition of split-tunneling. In this case the network
list would be a single address such 192.168.1.10/0.0.0.0 (wildcard
masking used on concentrators) and that would be the ISP's address
that sends the heartbeat packets. Although I don't think you can
specify a port with this network list. I'm not sure if these options
are equally available when configuring the PIX for VPN clients.
Sorry if I've restated things U already know.
Cisco has documented this with BugID# : CSCdx04842. They state
split-tunneling is the only solution to this problem.
- -John
- ----- Original Message -----
From: "John Spanos" <john.spanos at adacel.com>
To: <vpn at lists.shmoo.com>
Sent: Monday, December 16, 2002 10:49 PM
Subject: [VPN] Re: PIX and Split Tunnelling
> Hi Folks,
> I have a question relating specifically to Cisco PIX and
> split tunnelling. I have a situation where a lot of our VPN users
> have a cable connection with the largest national ISP. This ISP
> however uses a 'heartbeat' technique to monitor all cable
> connections. What this means is that the machine with the Cable
> connection sends heartbeat's to the State's Hearbeat Server saying
> 'I am still here, don't kill or free up my
> connection'.
>
> What I need to do is allow a split tunnel ONLY to a specific
> machine on a specific port. It appears that I can only send the
> networks to be protected by IPSec, with all addresses not in this
> ACL (using permit statements) going out in the clear. I cannot
> have this as it is against our current security policy. The only
> workaround I have is to use the old Safe Net Client which pushes
> policy, unlike the new client which pulls policy from the PIX. I
> would ideally like to have all users using the latest client for
> both security and ease of support. If anyone has an alternative
> solution I'd love to hear from them.
>
> Thanks.
>
> John Spanos.
>
> _______________________________________________
> VPN mailing list
> VPN at lists.shmoo.com
> http://lists.shmoo.com/mailman/listinfo/vpn
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>
iQA/AwUBPgDqs0lX08b6bPOuEQK13gCfV8EQzxdzuMpJQX8wwM1M0jmnqnAAoKli
5cdRQKNagxYb1l2/LgqPUEFY
=tUza
-----END PGP SIGNATURE-----
More information about the VPN
mailing list