[c-nsp] VPN (hopefully quick) question... split vs nosplit tunnel

Nick Hilliard nick at inex.ie
Fri May 14 19:28:29 EDT 2010


On 14/05/2010 23:54, Michael K. Smith - Adhost wrote:
> I don't think you can get traffic from VPN clients to route through the
> tunnel back out to the Internet.  On the ASA you can use the
> 'same-security-traffic permit intra-interface' command.  On the older
> devices, all you can do is make sure that the end user can't surf the
> Internet while connected to the VPN.

One way around this is to use public ip addresses for vpn clients.

Alternatively, if you're using a more modern router, you can policy route
all your incoming vpn traffic through to a loopback interface; this will
force all VPN traffic to be processed as if generated from within your
network, so that usual outgoing rules apply (e.g. NAT, etc). I don't know
if you can do this trick on an ASA.

Both these approaches work quite well in practice.

Nick


More information about the cisco-nsp mailing list