From: P729 (p729@xxxxxxx)
Date: Sat Jun 29 2002 - 16:39:53 GMT-3
Michael,
You're right. An ACL referenced by the 'vpngroup split-tunnel' command in
the PIX that Brett mentions specifies the routing policy that is pushed to
the client. The policy specifies what is sent encrypted to the PIX, while
all other traffic leaves the client normally (this is reflected by the
client's routing table after the connection is made).
What's odd about the ACL is, you need to specify it in such a way that it
seems like you're specifying the return traffic to the client, in other
words, from the target internal network(s) to the VPN client pool
address(s).
Chris,
The PIX still does not, as you said, route packets out the same interface
they came in on. I would imagine it will never support redirects for similar
reasons.
Brett,
You may be resigned to allowing your VPN clients to terminate directly on to
your remote site or implementing some sort of router/VPN-on-a-stick on the
inside of the PIX.
Regards,
Mas Kato
https://ecardfile.com/id/mkato
----- Original Message -----
From: "Michael Popovich" <m.popovich@mchsi.com>
To: <blewis@btconnect.com>; "'Larson, Chris (Contractor)'"
<Chris.Larson@ed.gov>; <ccielab@groupstudy.com>
Sent: Saturday, June 29, 2002 12:30 AM
Subject: RE: PIX to VPN 3000 Client Configuration
> It is my understanding that split-tunneling allows you to specify what
> traffic to encrypt and what traffic not to encrypt. That way web traffic
> never goes across the tunnel and uses the remote users Internet
> connection instead of the VPN. The PIX doesn't actually do any
> redirection here, I don't think.
>
> MP
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> blewis@btconnect.com
> Sent: Thursday, June 27, 2002 12:55 PM
> To: Larson, Chris (Contractor); 'blewis@btconnect.com';
> 'ccielab@groupstudy.com'
> Subject: RE: PIX to VPN 3000 Client Configuration
>
> there is a command you can use to split the tunnel
> under the vpn group configuration. This allows you to
> terminate the vpn then redirect web traffic back out of
> the interface. I wonder if this will act in the same way
> when redirecting back over a vpn connection?
>
> Brett
>
> ---- original message ----
>
> >
> >If I understand you correctly you are trying to get the
> PIX to redirect a
> >VPN connection out the sam interface it came in on.
> From my experience you
> >cannot do this unless you terminate the VPN inside the
> PIx and get it routed
> >back out through the PIX. This was some time ago.
> >
> >
> >-----Original Message-----
> >From: blewis@btconnect.com
> [mailto:blewis@btconnect.com]
> >Sent: Wednesday, June 26, 2002 1:23 PM
> >To: 'ccielab@groupstudy.com'
> >Subject: PIX to VPN 3000 Client Configuration
> >
> >
> >Hi Group,
> >
> >I have an interesting problem with a pix that is
> >configured to accept a VPN connection from a remote
> >site and from the VPN 3000 client. I cannot get to the
> >remot site from a VPN client that is connected to the
> >PIX. I can access everything on the LAN interface on
> the
> >PIX but nothing on the remote network.
> >
> >I have been told by somebody that you cannot go in
> >and out on the same PIX interface, is this true? If not
> I
> >will post the configuration files for you guys to have a
> >browse through.
> >
> >Many Thanks
> >
> >Brett Lewis
This archive was generated by hypermail 2.1.4 : Tue Jul 02 2002 - 08:12:44 GMT-3