[c-nsp] VPN (hopefully quick) question... split vs nosplit tunnel
Adrian Chung
adrian at enfusion-group.com
Fri May 14 20:12:55 EDT 2010
Same trick works on PIX >= 7.x.
--
Adrian Chung (adrian at enfusion-group dot com)
http://www.enfusion-group.com/~adrian/
GPG Fingerprint: C620 C8EA 86BA 79CC 384C E7BE A10C 353B 919D 1A17
----- Original Message -----
From: cisco-nsp-bounces at puck.nether.net <cisco-nsp-bounces at puck.nether.net>
To: Nick Hilliard <nick at inex.ie>
Cc: cisco-nsp at puck.nether.net <cisco-nsp at puck.nether.net>
Sent: Fri May 14 19:41:32 2010
Subject: Re: [c-nsp] VPN (hopefully quick) question... split vs nosplit tunnel
ASA is easy with same- security intra-interface and nat (outside) 1
for example.
Sent from handheld.
On May 14, 2010, at 7:33 PM, "Nick Hilliard" <nick at inex.ie> wrote:
> On 14/05/2010 23:54, Michael K. Smith - Adhost wrote:
>> I don't think you can get traffic from VPN clients to route through
>> the
>> tunnel back out to the Internet. On the ASA you can use the
>> 'same-security-traffic permit intra-interface' command. On the older
>> devices, all you can do is make sure that the end user can't surf the
>> Internet while connected to the VPN.
>
> One way around this is to use public ip addresses for vpn clients.
>
> Alternatively, if you're using a more modern router, you can policy
> route
> all your incoming vpn traffic through to a loopback interface; this
> will
> force all VPN traffic to be processed as if generated from within your
> network, so that usual outgoing rules apply (e.g. NAT, etc). I don't
> know
> if you can do this trick on an ASA.
>
> Both these approaches work quite well in practice.
>
> Nick
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list