[c-nsp] VPN (hopefully quick) question... split vsnosplit tunnel
tkapela at gmail.com
tkapela at gmail.com
Fri May 14 19:39:23 EDT 2010
+1 to policy route nexthop through loopback -- but this is route-map style, and kinda janky imho, compared to other options
On IOS, I've become much more fond of tunnel-protection via virtual templates. Real virt-access cloned per ipsec endpoint (with or without gre, etc) is pure genius.
I'd send a url, but I'm replying via blackberry (and this one is quite google-able).
On asa or pix, I've given up...
-Tk
-----Original Message-----
From: Nick Hilliard <nick at inex.ie>
Date: Sat, 15 May 2010 00:28:29
To: <cisco-nsp at puck.nether.net>
Subject: Re: [c-nsp] VPN (hopefully quick) question... split vs
nosplit tunnel
On 14/05/2010 23:54, Michael K. Smith - Adhost wrote:
> I don't think you can get traffic from VPN clients to route through the
> tunnel back out to the Internet. On the ASA you can use the
> 'same-security-traffic permit intra-interface' command. On the older
> devices, all you can do is make sure that the end user can't surf the
> Internet while connected to the VPN.
One way around this is to use public ip addresses for vpn clients.
Alternatively, if you're using a more modern router, you can policy route
all your incoming vpn traffic through to a loopback interface; this will
force all VPN traffic to be processed as if generated from within your
network, so that usual outgoing rules apply (e.g. NAT, etc). I don't know
if you can do this trick on an ASA.
Both these approaches work quite well in practice.
Nick
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list