Search This Blog

Thursday, October 20, 2005

firewall-wizards digest, Vol 1 #1684 - 2 msgs

Send firewall-wizards mailing list submissions to
firewall-wizards@honor.icsalabs.com

To subscribe or unsubscribe via the World Wide Web, visit
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@honor.icsalabs.com

You can reach the person managing the list at
firewall-wizards-admin@honor.icsalabs.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."

Today's Topics:

1. Re: Pix VPN endpoint and split-tunnel (Jason Ostrom)
2. Re: Pix VPN endpoint and split-tunnel (Paul Pershing)

--__--__--

Message: 1
Date: Fri, 14 Oct 2005 19:10:22 -0500
From: Jason Ostrom <justiceguy@pobox.com>
To: "Hughes, Chris" <Chris.Hughes@thalescomminc.com>
Cc: Paul Melson <pmelson@gmail.com>,
firewall-wizards@honor.icsalabs.com
Subject: Re: [fw-wiz] Pix VPN endpoint and split-tunnel

If you are using PIX OS 7.0, it does allow hairpinning, which is to
forward the packet back out the same interface it was received. And
stated another way, yes, it supports non-split tunneling in remote
access IPSec environments. See here:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_data_sheet0900aecd80225ae1.html

If you are running PIX OS 6.3.(x), it is a correct statement that you
can't hairpin. But it can be done in another way. The the only way to
do this is to have two outside interfaces on the PIX. One Outside
interface terminates the remote access IPSec clients, and the other is
for the connection to go out public network. This works, absolutely.
If the IP subnet provided by the ISP is a /28, you can do a /29 on one
interface and /29 on the other.

All the best,
Jason Ostrom

Hughes, Chris wrote:

>That's pretty much what I read. I thought they may have provided a fix
>by now. As for the workarounds, this is for a business partner network
>and I've already presented them with the "spend" option and they don't
>want to.
>
>Another reply I got here from Simon expressed the possibility that PIX
>7.x supports this. (split horizon?)
>
>Anybody?
>
>- Chris
>
>
>-----Original Message-----
>From: Paul Melson [mailto:pmelson@gmail.com]
>Sent: Wednesday, October 12, 2005 10:45 AM
>To: Hughes, Chris; firewall-wizards@honor.icsalabs.com
>Subject: RE: [fw-wiz] Pix VPN endpoint and split-tunnel
>
>-----Original Message-----
>Subject: [fw-wiz] Pix VPN endpoint and split-tunnel
>
>
>
>>I am trying to configure a cisco pix as a vpn endpoint for the cisco
>>
>>
>vpn
>client and
>
>
>>would like to force the client to use the corporate network for
>>
>>
>internet
>access. I
>
>
>>don't want to allow split-tunnel. I cant find any info on how to do
>>
>>
>this.
>Is split
>
>
>>tunnel the only way to give a vpn client internet access once they are
>>
>>
>connected?
>
>The short answer is yes. PIX-fu rule #1: the PIX is not a router. It
>can't
>take traffic that arrives on one interface and pass it back out that
>same
>interface, even when the traffic arrives via VPN tunnel. That said, you
>can
>sort of solve this problem by having the clients use a proxy server
>while
>connected via full tunnel. There may or may not be an elegant way to
>automate this for your road warriors, but this would really be
>independent
>of anything the PIX or VPN client do. (Think login scripts, Group
>Policy,
>etc.)
>
>If it's a big enough issue that you're willing to spend time and
>resources
>on it, I would recommend looking at the VPN3K concentrators (or ASA
>5500?).
>They can do exactly what you're asking for, plus they possess a number
>of
>other features for managing VPN client users that the PIX doesn't have.
>(Like dynamic VPN profile assignment via RADIUS.)
>
>PaulM
>
>
>
>
>This email and any files transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. This communication represents the originator's personal views and opinions, which do not necessarily reflect those of Thales Communications, Inc. If you are not the original recipient or the person responsible for delivering the email to the intended recipient, be advised that you have received this email in error, and that any use, dissemination, forwarding, printing, or copying of this email is strictly prohibited. If you received this email in error, please immediately notify Administrator2@Thalescomminc.com.
>
>
>_______________________________________________
>firewall-wizards mailing list
>firewall-wizards@honor.icsalabs.com
>http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
>
>
>
>

--__--__--

Message: 2
Date: Fri, 14 Oct 2005 21:22:34 -0400
From: Paul Pershing <streamfile@gmail.com>
To: "Hughes, Chris" <Chris.Hughes@thalescomminc.com>
Subject: Re: [fw-wiz] Pix VPN endpoint and split-tunnel
Cc: firewall-wizards@honor.icsalabs.com

On 10/8/05, Hughes, Chris <Chris.Hughes@thalescomminc.com> wrote:
> I am trying to configure a cisco pix as a vpn endpoint for the cisco vpn
> client and would like to force the client to use the corporate network
> for internet access. I don't want to allow split-tunnel. I cant find
> any info on how to do this. Is split tunnel the only way to give a vpn
> client internet access once they are connected?
>
> Thanks,
>
> Chris
>
>
> This email and any files transmitted with it are confidential and are int=
ended solely for the use of the individual or entity to whom they are addre=
ssed. This communication represents the originator's personal views and opi=
nions, which do not necessarily reflect those of Thales Communications, Inc=
. If you are not the original recipient or the person responsible for deliv=
ering the email to the intended recipient, be advised that you have receive=
d this email in error, and that any use, dissemination, forwarding, printin=
g, or copying of this email is strictly prohibited. If you received this em=
ail in error, please immediately notify Administrator2@Thalescomminc.com.
>
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@honor.icsalabs.com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
>
Hi Chris,

If I understand what you're trying to do it is indeed possible in v7.
I had a TAC case open on this earlier in the year; but I'm afraid that
I'm unable to find my reference to it. I do believe that this function
is referenced in the Release Notes for v7 - do you have access to CCO?

HTH,
Nick

--__--__--

_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

End of firewall-wizards Digest

No comments: