[c-nsp] VPN (hopefully quick) question... split vs nosplit tunnel

Michael K. Smith - Adhost mksmith at adhost.com
Fri May 14 18:54:50 EDT 2010


I don't think you can get traffic from VPN clients to route through the
tunnel back out to the Internet.  On the ASA you can use the
'same-security-traffic permit intra-interface' command.  On the older
devices, all you can do is make sure that the end user can't surf the
Internet while connected to the VPN.

Mike

--
Michael K. Smith - CISSP, GSEC, GISP
Chief Technical Officer - Adhost Internet LLC mksmith at adhost.com
w: +1 (206) 404-9500 f: +1 (206) 404-9050
PGP: B49A DDF5 8611 27F3  08B9 84BB E61E 38C0 (Key ID: 0x9A96777D)


> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> bounces at puck.nether.net] On Behalf Of Jeff Kell
> Sent: Friday, May 14, 2010 2:32 PM
> To: cisco-nsp
> Subject: [c-nsp] VPN (hopefully quick) question... split vs nosplit
> tunnel
> 
> I have an old PIX 515E that has been serving as a VPN endpoint for
more
> years than I can remember, but bottom line is I haven't touched the
> config in ages.
> 
> All of the configured VPN groups are split-tunnel configurations,
> bringing only selected internal networks in from the client.
> 
> I'm trying to setup a new profile without split-tunnel configured, so
> that all traffic goes through the tunnel (and thus encrypted, for
those
> WiFi / cleartext wireless cases).
> 
> I think everything is up and working, authentication is good, tunnel
> setup on client is good, a default gateway to the tunnel is set in the
> client, inside traffic works as expected.
> 
> But no internet traffic.  I would have "expected" it to come in,
bounce
> back out through NAT on the way outside, and all would be well.  But
> such is not the case.
> 
> The VPN pool addresses appear marked on the "outside:" interface, and
> despite a default route that points to the upstream border router, I'm
> getting:
> 
>    110001: No route to <the.outside.ip.address> from
> <the-tunnel-pool-address>
> 
> What is the missing "glue" to let the traffic pass outside?  Or am I
> missing something else entirely?
> 
> Jeff
> 
> 
> vpngroup no_split_tunnel address-pool VPN_NETADMIN2
> vpngroup no_split_tunnel dns-server ns1 ns2
> vpngroup no_split_tunnel default-domain utc.edu
> vpngroup no_split_tunnel idle-time 1800
> vpngroup no_split_tunnel password ********
> 
> Other VPN groups have:
> 
> vpngroup split_group split-tunnel split-tunnel-routes-ACL
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/



More information about the cisco-nsp mailing list