Split-Tunneling

wagnerbmwagnerbm Member Posts: 38 ■■□□□□□□□□
Okay. I need help explaining something. When you have a user that is using easy vpn to connect to the network and they need access to remote desktop into an outside network you need to enable split tunneling. I get it and I am trying to explain that you have to have it. Their arguement is that the user can use the internet while being connected but we are using a proxy server and I have tried to explain that the proxy is making the request on the behalf of that connection. They are not understanding why it is not just routing and why it can't go back out the outside interface. Can anyone give me a good explanation?

Comments

  • dtlokeedtlokee Member Posts: 2,378 ■■■■□□□□□□
    What type of device are you using for the vpn connection? Are the client web browsers configured to explicitly use the proxy?

    Also the proxy should have no effect on traffic like RDP.
    The only easy day was yesterday!
  • wagnerbmwagnerbm Member Posts: 38 ■■□□□□□□□□
    What type of device are you using for the vpn connection?
    A. We have a Pix 525 7.0

    Are the client web browsers configured to explicitly use the proxy?
    A. Their internet explorer is configured to use the proxy. So once they log in they can get to the network.

    Also the proxy should have no effect on traffic like RDP.

    Just a little more info: My boss says he wants to see it somewhere that says once you create a tunnel you can't go back out unless you use split-tunneling. But that is what a tunnel is - a connection from point a to point b and if you want to go to c you need to use a resource from inside the network that can get out (like the proxy) or you use split-tunneling. Right?
  • stealthttstealthtt Member Posts: 14 ■□□□□□□□□□
    The firewall can do NAT for the outside VPN client and allow it to access networks on the outside without split-tunneling.

    But split-Tunneling makes more sense, and uses less bandwidth, and thats what I do on all of my firewalls.
  • wagnerbmwagnerbm Member Posts: 38 ■■□□□□□□□□
    The firewall can do NAT for the outside VPN client and allow it to access networks on the outside without split-tunneling

    Okay. So my ez vpn clients come in and get assigned a new address via dhcp lets say 192.168.1.2 and they don't have split tunneling enabled and they are allowed to 2 subnets on the network they created a tunnel too. But they want to go out to a seperate site outside of the network they have connected too. I guess I am confused at how you would do the nat. Since they come in on dhcp how would I nat that out? There is a global ip for the outside interface. Maybe I am just a little confused.
  • stealthttstealthtt Member Posts: 14 ■□□□□□□□□□
    global (outside) 1 interface
    nat (outside) 1 192.168.1.0 255.255.255.0 (this would allow 192.168.1.x)

    Then you would want your nat 0 statement to exempt traffic between 192.168.1.x and your other internal networks.
  • wagnerbmwagnerbm Member Posts: 38 ■■□□□□□□□□
    Okay. I am getting closer but on your global (outside) 1 interface there isn't an interface associated to the vpn users.
  • stealthttstealthtt Member Posts: 14 ■□□□□□□□□□
    "global (outside) 1 interface" tells the firewall to use the IP address of its "outside" interface when doing nat.
  • wagnerbmwagnerbm Member Posts: 38 ■■□□□□□□□□
    Ahhhh.....Light bulb. I get that now.
  • AhriakinAhriakin Member Posts: 1,799 ■■■■■■■■□□
    You also need to allow IntraInterface traffic on the outside interface in addition to the NAT already mentioned
    same-security-traffic permit intra-interface .
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
  • wagnerbmwagnerbm Member Posts: 38 ■■□□□□□□□□
    same-security-traffic permit intra-interface

    Is this what you are talking about?
Sign In or Register to comment.