SSL Tunnel through an IPSEC Tunnel?

EricO

We have a situation where there is an additional secure area of our network within our corporate network. Within our network the secure zone is protected by a PIX. This PIX is managed by a separate security team than the VPN concentrator. We have a need for direct port access to devices on the other side of the PIX. We will likely replace the PIX with ASA devices soon. Currently all of our standard issue laptops connect to the corporate via an IPsec client tunnel and the Cisco client. What I am currently considering is using a SSL VPN Client (SVC Full Tunnel Mode) to connect through the IPSEC tunnel established to the corporate network. The first question I have is: Is it possible? The second question is does it seem like the smart thing to do?

Ahriakin

It is possible but each layer will add more overhead so if you are bandwidth limited it will become an issue. Why not have the VPN concentrator setup to assign you a static IP (not the same as your in-office one as you could run into Arp cache issues), create a std. IPSec VPN between the concentrator and your internal PIX/ASA, do not clear all IPSec Traffic using Sysopt and apply an access-list filter on the outside interface of the PIX that only allows your assigned IP(s), also back that up by setting the access-list used for identifying interesting traffic to just between your VPN assigned IP(s) and the PIX/ASA itself. This way you are not encrypting again within your tunnel, it's just one tunnel from you to the concentrator and a separate one from it to the Firewall. How many people you want to use the system, what protocols/targets etc. can all be controlled using the IP assignment as Statics or Pools on the Concentrator and your Interesting traffic access-list/outside access-list on the Firewall.