[VPN] Re: PIX and Split Tunnelling

john at dndlabs.net john at dndlabs.net
Wed Dec 18 16:37:58 EST 2002


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I'm not 100% sure about the options for VPN client on the PIX, but on
our CSVPN 3030 concentrator I can create a network list and then for
a specific group force everything across the tunnel and also allow
connectivity to this network list outside of the tunnel.  Of course
this is the definition of split-tunneling.  In this case the network
list would be a single address such 192.168.1.10/0.0.0.0 (wildcard
masking used on concentrators) and that would be the ISP's address
that sends the heartbeat packets.  Although I don't think you can
specify a port with this network list.  I'm not sure if these options
are equally available when configuring the PIX for VPN clients. 
Sorry if I've restated things U already know.

Cisco has documented this with BugID# : CSCdx04842.  They state
split-tunneling is the only solution to this problem.

- -John

- ----- Original Message ----- 
From: "John Spanos" <john.spanos at adacel.com>
To: <vpn at lists.shmoo.com>
Sent: Monday, December 16, 2002 10:49 PM
Subject: [VPN] Re: PIX and Split Tunnelling


> Hi Folks,
>          I have a question relating specifically to Cisco PIX and
> split tunnelling.  I have a situation where a lot of our VPN users
> have a cable connection with the largest national ISP.  This ISP
> however uses a 'heartbeat' technique to monitor all cable
> connections.  What this means is that the machine with the Cable
> connection sends heartbeat's to the State's Hearbeat Server saying
> 'I am still here, don't kill or free up my
> connection'.
> 
> What I need to do is allow a split tunnel ONLY to a specific
> machine on a specific port.  It appears that I can only send the
> networks to be protected by IPSec, with all addresses not in this
> ACL (using permit statements) going out in the clear.  I cannot
> have this as it is against our current security policy.  The only
> workaround I have is to use the old Safe Net Client which pushes
> policy, unlike the new client which pulls policy from the PIX.  I
> would ideally like to have all users using the latest client for
> both security and ease of support.  If anyone has an alternative
> solution I'd love to hear from them.
> 
> Thanks.
> 
> John Spanos.
> 
> _______________________________________________
> VPN mailing list
> VPN at lists.shmoo.com
> http://lists.shmoo.com/mailman/listinfo/vpn

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>

iQA/AwUBPgDqs0lX08b6bPOuEQK13gCfV8EQzxdzuMpJQX8wwM1M0jmnqnAAoKli
5cdRQKNagxYb1l2/LgqPUEFY
=tUza
-----END PGP SIGNATURE-----




More information about the VPN mailing list