Home
Certification Preparation
Cisco
CCNP
CCNP Security
Split-Tunneling
wagnerbm
Okay. I need help explaining something. When you have a user that is using easy vpn to connect to the network and they need access to remote desktop into an outside network you need to enable split tunneling. I get it and I am trying to explain that you have to have it. Their arguement is that the user can use the internet while being connected but we are using a proxy server and I have tried to explain that the proxy is making the request on the behalf of that connection. They are not understanding why it is not just routing and why it can't go back out the outside interface. Can anyone give me a good explanation?
Find more posts tagged with
Comments
dtlokee
What type of device are you using for the vpn connection? Are the client web browsers configured to explicitly use the proxy?
Also the proxy should have no effect on traffic like RDP.
wagnerbm
What type of device are you using for the vpn connection?
A. We have a Pix 525 7.0
Are the client web browsers configured to explicitly use the proxy?
A. Their internet explorer is configured to use the proxy. So once they log in they can get to the network.
Also the proxy should have no effect on traffic like RDP.
Just a little more info: My boss says he wants to see it somewhere that says once you create a tunnel you can't go back out unless you use split-tunneling. But that is what a tunnel is - a connection from point a to point b and if you want to go to c you need to use a resource from inside the network that can get out (like the proxy) or you use split-tunneling. Right?
stealthtt
The firewall can do NAT for the outside VPN client and allow it to access networks on the outside without split-tunneling.
But split-Tunneling makes more sense, and uses less bandwidth, and thats what I do on all of my firewalls.
wagnerbm
The firewall can do NAT for the outside VPN client and allow it to access networks on the outside without split-tunneling
Okay. So my ez vpn clients come in and get assigned a new address via dhcp lets say 192.168.1.2 and they don't have split tunneling enabled and they are allowed to 2 subnets on the network they created a tunnel too. But they want to go out to a seperate site outside of the network they have connected too. I guess I am confused at how you would do the nat. Since they come in on dhcp how would I nat that out? There is a global ip for the outside interface. Maybe I am just a little confused.
stealthtt
global (outside) 1 interface
nat (outside) 1 192.168.1.0 255.255.255.0 (this would allow 192.168.1.x)
Then you would want your nat 0 statement to exempt traffic between 192.168.1.x and your other internal networks.
wagnerbm
Okay. I am getting closer but on your global (outside) 1 interface there isn't an interface associated to the vpn users.
stealthtt
"global (outside) 1 interface" tells the firewall to use the IP address of its "outside" interface when doing nat.
wagnerbm
Ahhhh.....Light bulb. I get that now.
Ahriakin
You also need to allow IntraInterface traffic on the outside interface in addition to the NAT already mentioned
same-security-traffic permit intra-interface .
wagnerbm
same-security-traffic permit intra-interface
Is this what you are talking about?
Quick Links
All Categories
Recent Posts
Activity
Unanswered
Groups
Best Of
