[c-nsp] VPN (hopefully quick) question... split vs nosplit tunnel

Adrian Chung adrian at enfusion-group.com
Fri May 14 20:12:55 EDT 2010


Same trick works on PIX >= 7.x. 


--
Adrian Chung (adrian at enfusion-group dot com)
http://www.enfusion-group.com/~adrian/
GPG Fingerprint: C620 C8EA 86BA 79CC 384C E7BE A10C 353B 919D 1A17

----- Original Message -----
From: cisco-nsp-bounces at puck.nether.net <cisco-nsp-bounces at puck.nether.net>
To: Nick Hilliard <nick at inex.ie>
Cc: cisco-nsp at puck.nether.net <cisco-nsp at puck.nether.net>
Sent: Fri May 14 19:41:32 2010
Subject: Re: [c-nsp] VPN (hopefully quick) question... split	vs	nosplit	tunnel

ASA is easy with same- security intra-interface and nat (outside) 1  
for example.

Sent from handheld.

On May 14, 2010, at 7:33 PM, "Nick Hilliard" <nick at inex.ie> wrote:

> On 14/05/2010 23:54, Michael K. Smith - Adhost wrote:
>> I don't think you can get traffic from VPN clients to route through  
>> the
>> tunnel back out to the Internet.  On the ASA you can use the
>> 'same-security-traffic permit intra-interface' command.  On the older
>> devices, all you can do is make sure that the end user can't surf the
>> Internet while connected to the VPN.
>
> One way around this is to use public ip addresses for vpn clients.
>
> Alternatively, if you're using a more modern router, you can policy  
> route
> all your incoming vpn traffic through to a loopback interface; this  
> will
> force all VPN traffic to be processed as if generated from within your
> network, so that usual outgoing rules apply (e.g. NAT, etc). I don't  
> know
> if you can do this trick on an ASA.
>
> Both these approaches work quite well in practice.
>
> Nick
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/




More information about the cisco-nsp mailing list