[c-nsp] VPN (hopefully quick) question... split vs nosplit tunnel
Nick Hilliard
nick at inex.ie
Fri May 14 19:28:29 EDT 2010
On 14/05/2010 23:54, Michael K. Smith - Adhost wrote:
> I don't think you can get traffic from VPN clients to route through the
> tunnel back out to the Internet. On the ASA you can use the
> 'same-security-traffic permit intra-interface' command. On the older
> devices, all you can do is make sure that the end user can't surf the
> Internet while connected to the VPN.
One way around this is to use public ip addresses for vpn clients.
Alternatively, if you're using a more modern router, you can policy route
all your incoming vpn traffic through to a loopback interface; this will
force all VPN traffic to be processed as if generated from within your
network, so that usual outgoing rules apply (e.g. NAT, etc). I don't know
if you can do this trick on an ASA.
Both these approaches work quite well in practice.
Nick
More information about the cisco-nsp
mailing list