Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Split Tunnel Question

Reply
Thread Tools

Split Tunnel Question

 
 
nt_pete@hotmail.com
Guest
Posts: n/a
 
      09-14-2006
We have a PIX 515 where users connect via VPN Client to access the LAN
in our home office. It works just fine. We (Admins) have never wanted
to let users have access to their local LAN while connected to the home
office. We were able to convince management this was the right way to
do things....until now.

It seems users need to access their local LAN while connected via VPN
Client and according to new management it is HIGH PRIORITY. FIX IT!

Its not broke we say...whatever, we lost.

I have tried these changes:

access-list vpnlist permit ip 10.1.1.0 255.255.255.0 any
vpngroup vpn3000 split-tunnel vpnlist

Where 10.1.1.x is the LAN at my house.

I successfully connect to the PIX with VPN Client and have access to my
local LAN but no acces to office LAN.

What am I doing wrong?

More info:

The PIX hands out to VPN Clients IPs that are on the same network as
the home office network. Does this complicate matters?

Thanks,

P.

 
Reply With Quote
 
 
 
 
Walter Roberson
Guest
Posts: n/a
 
      09-14-2006
In article <(E-Mail Removed) .com>,
<(E-Mail Removed)> wrote:
>We have a PIX 515 where users connect via VPN Client to access the LAN
>in our home office.


>It seems users need to access their local LAN while connected via VPN


>access-list vpnlist permit ip 10.1.1.0 255.255.255.0 any
>vpngroup vpn3000 split-tunnel vpnlist
>Where 10.1.1.x is the LAN at my house.


the access-list for a split-tunnel needs to be written as if the
source is the traffic on the PIX side, and the destination is
the PC side.

>The PIX hands out to VPN Clients IPs that are on the same network as
>the home office network. Does this complicate matters?


Yes: it only works if the PIX proxy-arps those IPs on the
inside network and has a host-specific route sending them out the
interface the VPN is connected to. proxy-arp is unreliable, and
proper construction of that host-specific route is too. It is usually
much easier to put the VPN client addresses into a different IP
range and then it all happens naturally by normal routing.
 
Reply With Quote
 
 
 
 
nt_pete@hotmail.com
Guest
Posts: n/a
 
      09-14-2006
Walter,

Thanks for the quick reply. So it looks like I need to:

1. Create new VPN group
2. Make sure new group recieves different network from home office
3. New group should use home DNS/WINS
4. Create the access list for home network
5. Include the split tunnel coamnd for new VPN group.

Anything else?

Thanks again,

P.

 
Reply With Quote
 
Walter Roberson
Guest
Posts: n/a
 
      09-14-2006
In article <(E-Mail Removed) .com>,
<(E-Mail Removed)> wrote:

>Thanks for the quick reply. So it looks like I need to:


>1. Create new VPN group


That's probably for the best. Don't give the split tunnel to
people who don't need it.

>2. Make sure new group recieves different network from home office
>3. New group should use home DNS/WINS


Is there a good reason that they need to use the home DNS?
Your HQ is probably better protected against DNS poisoning
and such. But moreso, those users are probably going to expect to
resolve your internal hostnames, which you probably shouldn't publish
to the outside world, so you probably want them to resolve through
the HQ DNS.

Similarily, you probably need to use the HQ WINS: if you need
WINS at all in your network then your users are going to expect to
be talking to your inside devices, which had better not work if
they are using an external WINS.

>4. Create the access list for home network
>5. Include the split tunnel coamnd for new VPN group.


>Anything else?

 
Reply With Quote
 
Darren Green
Guest
Posts: n/a
 
      09-16-2006

"Walter Roberson" <(E-Mail Removed)> wrote in message
news:NbiOg.554151$IK3.69792@pd7tw1no...
> In article <(E-Mail Removed) .com>,
> <(E-Mail Removed)> wrote:
>
>>Thanks for the quick reply. So it looks like I need to:

>
>>1. Create new VPN group

>
> That's probably for the best. Don't give the split tunnel to
> people who don't need it.
>
>>2. Make sure new group recieves different network from home office
>>3. New group should use home DNS/WINS

>
> Is there a good reason that they need to use the home DNS?
> Your HQ is probably better protected against DNS poisoning
> and such. But moreso, those users are probably going to expect to
> resolve your internal hostnames, which you probably shouldn't publish
> to the outside world, so you probably want them to resolve through
> the HQ DNS.
>
> Similarily, you probably need to use the HQ WINS: if you need
> WINS at all in your network then your users are going to expect to
> be talking to your inside devices, which had better not work if
> they are using an external WINS.
>
>>4. Create the access list for home network
>>5. Include the split tunnel coamnd for new VPN group.

>
>>Anything else?


Wouldn't you also need to add nonat between the internal networks and the
VPN Client pool.

Regards

Darren


 
Reply With Quote
 
nt_pete@hotmail.com
Guest
Posts: n/a
 
      09-17-2006
This is still not working. These are the changes:

access-list vpnlist permit ip 10.1.1.0 255.255.255.0 10.31.79.0
255.255.255.0
vpngroup test split-tunnel vpnlist
vpngroup test address-pool newpool
vpngroup test default-domain bubba.ws
vpngroup test idle-time 1800
vpngroup test password curveball
ip local pool newpool 10.100.100.240-10.100.100.250

Where 10.1.1.x is the main office LAN and 10.31.79.x is the users home
LAN.

I connect but no traffic goes into main office LAN. Client has no
default gateway assined for the DHCP assigned (10.100.100.x) IP
address.

WHats wrong?

 
Reply With Quote
 
Walter Roberson
Guest
Posts: n/a
 
      09-17-2006
In article <(E-Mail Removed) .com>,
<(E-Mail Removed)> wrote:
>This is still not working. These are the changes:


>access-list vpnlist permit ip 10.1.1.0 255.255.255.0 10.31.79.0 255.255.255.0
>vpngroup test split-tunnel vpnlist
>vpngroup test address-pool newpool
>vpngroup test default-domain bubba.ws
>vpngroup test idle-time 1800
>vpngroup test password curveball
>ip local pool newpool 10.100.100.240-10.100.100.250


>Where 10.1.1.x is the main office LAN and 10.31.79.x is the users home
>LAN.


You are using vpngroup with an 'address-pool' clause, so the link
is assigned an ip in the newpool range. The destination part of
your vpnlist split tunnel should reflect that range; also, as was
raised by the other poster, you should make sure that your
nat (inside) 0 access-list has a line the same as your vpnlist line.
[Don't reuse access-lists, though: copy the line.]
 
Reply With Quote
 
nt_pete@hotmail.com
Guest
Posts: n/a
 
      09-17-2006
OK. That did it. Many thanks especialy to Walter.

I will try and argue our point to management that this is unwanted
behavior. Anyone know where I might find a list of good reasons why
split-tunnel is a bad idea?

Again Thank you for all the help. I appreciate it very much.

P.

 
Reply With Quote
 
Brian V
Guest
Posts: n/a
 
      09-17-2006

<(E-Mail Removed)> wrote in message
news:(E-Mail Removed) ups.com...
> OK. That did it. Many thanks especialy to Walter.
>
> I will try and argue our point to management that this is unwanted
> behavior. Anyone know where I might find a list of good reasons why
> split-tunnel is a bad idea?
>
> Again Thank you for all the help. I appreciate it very much.
>
> P.
>


For every split tunnel you allow you have punched a wide open hole in your
firewall policy, might as well just add a permit ip any any in it. Your edge
is no longer protected by the corporate firewall systems and is now reliant
on the security that the end user has if any at their home, starbucks, and
wifi zone etc. VERY bad policy to allow split tunneling.


 
Reply With Quote
 
nt_pete@hotmail.com
Guest
Posts: n/a
 
      09-17-2006
OK. I want to understand this.

Are we saying that the traffic to and from the VPN client from users
home/remote/starbucks etc. LAN is going unencrypted to the main office?
In other words plain text over the Internet?

Thanks,

P.

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
One IPsec tunnel and no ISAKMP tunnel. AM Cisco 7 07-19-2007 03:11 PM
GRE Tunnel up/up Cannot ping tunnel interface tsvanduyn@yahoo.com Cisco 6 03-09-2006 01:33 AM
vpn/ split tunnel question dt1649651@yahoo.com Cisco 4 08-02-2005 01:09 AM
Split Tunnel Blocks http through tunnel but passes http around tunnel a.nonny mouse Cisco 2 09-19-2004 12:10 AM
Termination of an IPSec VPN tunnel and a GRE Tunnel on one physical interface. John Ireland Cisco 1 11-11-2003 04:47 PM



Advertisments