Pix and split tunnel

Hi All,

The higher ups want to be able to access the internet while on vpn. i have warned of the security risks and such, but we all know how politics go! I am pretty sure my only option is split tunnel. I have a question on the syntax. This is how I assume it needs to entered:

access-list split_tunnel permit ip protected_network protected_subnet vpnclient_network vpnclient_subnet

My inside interface for the pix is on the 192.168.xx.0 network. My vpn address pool is also on this network, assuming this would the following be correct?

access-list split_tunnel permit ip 192.168.xx.0 255.255.255.0
192.168.xx.0 255.255.255.0

Thanks

susetechie,

One thing which is not clear to me: Do your clients connect to your Pix (terminate their VPN on it) from the Internet, or are they on the local LAN and simply want to access the Internet from there?

e.g

LAN

---

PIX===Internet=====VPN CLient

or

LAN/VPN Clients

---

PIX====Internet====PIX

Cheers,

Chris,

Thanks for replying. These are vpn users from home. so they are at home with cable modems/dsl modems and such. they are not on the local lan.

Thanks

In my humble opinion the following configuration should be made on the VPN server,


access-list VPNgroupname_splitTunnelAcl permit ip 192.168.0.0 255.255.0.0 any
vpngroup VPNgroupname split-tunnel VPNgroupname_splitTunnelAcl

Also the VPN client has to be configured to allow local LAN access.

This should help them connect to the internet.

Thanx.

Hello All...

I've got to throw my two cents in on this one...

I've never been a fan of split tunneling - especially when it comes to higher ups. About 99.99997% (look - something that actually qualifies as Six Sigma!) of 'higher-ups' are clueless when it comes to security of their laptops, files, home networks, etc. Many of them have kids who are at a minimum cocky script-kiddies... so they are constantly playing around in things they have no clue about (viruses, etc.), essentially raising the risk to the corporate asset.

When split tunneling is permitted, the asset is at risk from the local network/internet connection. With split tunnel disabled, while the asset is VPN'ed into corporate, the asset is not accessible from the local network it is on.

Real attackers (as opposed to the higher-up's kids), know that split tunneling is still being used by companies, and will attempt to penetrate the wireless network of said higher-up and compromise the corporate asset and get to documents stored locally on that asset (since we know higher-ups have no clue about server storage and shared drives).

While it is true that the higher-up will not be using his/her local internet connection directly for browsing non-corporate sites with split tunneling disabled, it is possible (and becoming very common) for companies to let their VPN users browse the web via the VPN tunnel (something I have been doing for a very long time now).

When split tunneling is off, all traffic to and from the vpn device must go through the tunnel - no matter what destination IP address. At the VPN head-end, whether it be a PIX, or a dedicated VPN concentrator like the Cisco VPN 3000 series, you route the internet based traffic out of the corporate internet connection, just like any other internally connected user. Advantage: You can now enforce your corporate browsing polcies/logging/filtering against VPN'ed users too!

What stinks for the vpn'ed users (and the complaint I hear the most) is that they can't print to their local network printer. My response? Boo-hoo! Thank God for USB!

Of course, if the user is not VPN'ed in, but they leave their PC turned on, it is obviously attackable - that's when personal firewalls and the like are useful.

Anyway - my 2 cents...

tGc

I would totally agree with you TGC. This is my deal though. The interface that accepts the vpn connection is also the interface that leads to the internet router. Pix will not allow something to come in one interface and back out the same way correct? or am i totally off base with this.