[c-nsp] PIX VPN changes from 6.3.4 to 7.0.x ?

Andrew Yourtchenko ayourtch at gmail.com
Wed Nov 9 08:29:36 EST 2005


Garry,

> parallel. Now, all communication is sent through the tunnel when IPSEC
> is up ... I've tried fiddling with split tunneling etc., but couldn't
> get the connection to permit both types of connections at the same time ...

internally, there's been quite a few changes between 6.x and 7.x - and
some of the configuration needed to be adjusted - the split-tunnel ACL
config is different in 6.x and 7.x - in 7.x you need to use "standard"
ACL to denote which traffic is to be encrypted. This is indeed just a
speculation since I do not know how you were configuring it.

Note, that from 7.x, you can actually make the VPN-originated traffic
to U-turn - from the VPN client, and then to Internet (so you can
enforce the policy on the PIX for all the traffic). To have that you'd
need "same-security-traffic permit intra-interface" command in the PIX
configuration & the corresponding translation rules (with both
'internal' and 'external' interfaces in their syntax being the VPN
termination interface).

thanks,
andrew



More information about the cisco-nsp mailing list