Split Tunnel Question

Discussion in 'Cisco' started by nt_pete@hotmail.com, Sep 14, 2006.

  1. Guest

    We have a PIX 515 where users connect via VPN Client to access the LAN
    in our home office. It works just fine. We (Admins) have never wanted
    to let users have access to their local LAN while connected to the home
    office. We were able to convince management this was the right way to
    do things....until now.

    It seems users need to access their local LAN while connected via VPN
    Client and according to new management it is HIGH PRIORITY. FIX IT!

    Its not broke we say...whatever, we lost.

    I have tried these changes:

    access-list vpnlist permit ip 10.1.1.0 255.255.255.0 any
    vpngroup vpn3000 split-tunnel vpnlist

    Where 10.1.1.x is the LAN at my house.

    I successfully connect to the PIX with VPN Client and have access to my
    local LAN but no acces to office LAN.

    What am I doing wrong?

    More info:

    The PIX hands out to VPN Clients IPs that are on the same network as
    the home office network. Does this complicate matters?

    Thanks,

    P.
     
    , Sep 14, 2006
    #1
    1. Advertising

  2. In article <>,
    <> wrote:
    >We have a PIX 515 where users connect via VPN Client to access the LAN
    >in our home office.


    >It seems users need to access their local LAN while connected via VPN


    >access-list vpnlist permit ip 10.1.1.0 255.255.255.0 any
    >vpngroup vpn3000 split-tunnel vpnlist
    >Where 10.1.1.x is the LAN at my house.


    the access-list for a split-tunnel needs to be written as if the
    source is the traffic on the PIX side, and the destination is
    the PC side.

    >The PIX hands out to VPN Clients IPs that are on the same network as
    >the home office network. Does this complicate matters?


    Yes: it only works if the PIX proxy-arps those IPs on the
    inside network and has a host-specific route sending them out the
    interface the VPN is connected to. proxy-arp is unreliable, and
    proper construction of that host-specific route is too. It is usually
    much easier to put the VPN client addresses into a different IP
    range and then it all happens naturally by normal routing.
     
    Walter Roberson, Sep 14, 2006
    #2
    1. Advertising

  3. Guest

    Walter,

    Thanks for the quick reply. So it looks like I need to:

    1. Create new VPN group
    2. Make sure new group recieves different network from home office
    3. New group should use home DNS/WINS
    4. Create the access list for home network
    5. Include the split tunnel coamnd for new VPN group.

    Anything else?

    Thanks again,

    P.
     
    , Sep 14, 2006
    #3
  4. In article <>,
    <> wrote:

    >Thanks for the quick reply. So it looks like I need to:


    >1. Create new VPN group


    That's probably for the best. Don't give the split tunnel to
    people who don't need it.

    >2. Make sure new group recieves different network from home office
    >3. New group should use home DNS/WINS


    Is there a good reason that they need to use the home DNS?
    Your HQ is probably better protected against DNS poisoning
    and such. But moreso, those users are probably going to expect to
    resolve your internal hostnames, which you probably shouldn't publish
    to the outside world, so you probably want them to resolve through
    the HQ DNS.

    Similarily, you probably need to use the HQ WINS: if you need
    WINS at all in your network then your users are going to expect to
    be talking to your inside devices, which had better not work if
    they are using an external WINS.

    >4. Create the access list for home network
    >5. Include the split tunnel coamnd for new VPN group.


    >Anything else?
     
    Walter Roberson, Sep 14, 2006
    #4
  5. Darren Green Guest

    "Walter Roberson" <> wrote in message
    news:NbiOg.554151$IK3.69792@pd7tw1no...
    > In article <>,
    > <> wrote:
    >
    >>Thanks for the quick reply. So it looks like I need to:

    >
    >>1. Create new VPN group

    >
    > That's probably for the best. Don't give the split tunnel to
    > people who don't need it.
    >
    >>2. Make sure new group recieves different network from home office
    >>3. New group should use home DNS/WINS

    >
    > Is there a good reason that they need to use the home DNS?
    > Your HQ is probably better protected against DNS poisoning
    > and such. But moreso, those users are probably going to expect to
    > resolve your internal hostnames, which you probably shouldn't publish
    > to the outside world, so you probably want them to resolve through
    > the HQ DNS.
    >
    > Similarily, you probably need to use the HQ WINS: if you need
    > WINS at all in your network then your users are going to expect to
    > be talking to your inside devices, which had better not work if
    > they are using an external WINS.
    >
    >>4. Create the access list for home network
    >>5. Include the split tunnel coamnd for new VPN group.

    >
    >>Anything else?


    Wouldn't you also need to add nonat between the internal networks and the
    VPN Client pool.

    Regards

    Darren
     
    Darren Green, Sep 16, 2006
    #5
  6. Guest

    This is still not working. These are the changes:

    access-list vpnlist permit ip 10.1.1.0 255.255.255.0 10.31.79.0
    255.255.255.0
    vpngroup test split-tunnel vpnlist
    vpngroup test address-pool newpool
    vpngroup test default-domain bubba.ws
    vpngroup test idle-time 1800
    vpngroup test password curveball
    ip local pool newpool 10.100.100.240-10.100.100.250

    Where 10.1.1.x is the main office LAN and 10.31.79.x is the users home
    LAN.

    I connect but no traffic goes into main office LAN. Client has no
    default gateway assined for the DHCP assigned (10.100.100.x) IP
    address.

    WHats wrong?
     
    , Sep 17, 2006
    #6
  7. In article <>,
    <> wrote:
    >This is still not working. These are the changes:


    >access-list vpnlist permit ip 10.1.1.0 255.255.255.0 10.31.79.0 255.255.255.0
    >vpngroup test split-tunnel vpnlist
    >vpngroup test address-pool newpool
    >vpngroup test default-domain bubba.ws
    >vpngroup test idle-time 1800
    >vpngroup test password curveball
    >ip local pool newpool 10.100.100.240-10.100.100.250


    >Where 10.1.1.x is the main office LAN and 10.31.79.x is the users home
    >LAN.


    You are using vpngroup with an 'address-pool' clause, so the link
    is assigned an ip in the newpool range. The destination part of
    your vpnlist split tunnel should reflect that range; also, as was
    raised by the other poster, you should make sure that your
    nat (inside) 0 access-list has a line the same as your vpnlist line.
    [Don't reuse access-lists, though: copy the line.]
     
    Walter Roberson, Sep 17, 2006
    #7
  8. Guest

    OK. That did it. Many thanks especialy to Walter.

    I will try and argue our point to management that this is unwanted
    behavior. Anyone know where I might find a list of good reasons why
    split-tunnel is a bad idea?

    Again Thank you for all the help. I appreciate it very much.

    P.
     
    , Sep 17, 2006
    #8
  9. Brian V Guest

    <> wrote in message
    news:...
    > OK. That did it. Many thanks especialy to Walter.
    >
    > I will try and argue our point to management that this is unwanted
    > behavior. Anyone know where I might find a list of good reasons why
    > split-tunnel is a bad idea?
    >
    > Again Thank you for all the help. I appreciate it very much.
    >
    > P.
    >


    For every split tunnel you allow you have punched a wide open hole in your
    firewall policy, might as well just add a permit ip any any in it. Your edge
    is no longer protected by the corporate firewall systems and is now reliant
    on the security that the end user has if any at their home, starbucks, and
    wifi zone etc. VERY bad policy to allow split tunneling.
     
    Brian V, Sep 18, 2006
    #9
  10. Guest

    OK. I want to understand this.

    Are we saying that the traffic to and from the VPN client from users
    home/remote/starbucks etc. LAN is going unencrypted to the main office?
    In other words plain text over the Internet?

    Thanks,

    P.
     
    , Sep 18, 2006
    #10
  11. Brian V Guest

    <> wrote in message
    news:...
    > OK. I want to understand this.
    >
    > Are we saying that the traffic to and from the VPN client from users
    > home/remote/starbucks etc. LAN is going unencrypted to the main office?
    > In other words plain text over the Internet?
    >
    > Thanks,
    >
    > P.
    >


    Not at all, got nothing to do with encryption, clear text...nothing like
    that at all.

    1, You have your internet at your corp, your internals are protected by your
    firewall
    2, No one from the internet can get in to your corp LAN because of that
    firewall.
    3, You punch a couple holes in the firewall to allow VPN users to connect.
    Still secure, username/password/certificate/whatever protected.
    4, A user without split tunnel conntects to your systems. His local internet
    connection is essentially terminated because your VPN policy says, hey, you
    can only talk to me, no one else, all traffic must be sent to me and all
    traffic you recieve will be from me. Still secure.
    5, You allow a user to conect with a split tunnel policy. You VPN system
    says, hey, only send me the traffic destined for me, all other traffic use
    your local internet connection. What this does is let Joe Hacker come in
    thru the internet on to that users PC, bang, he's got a pipe right in to
    your corporate infrastructure.
     
    Brian V, Sep 18, 2006
    #11
  12. Guest

    Brian,

    Thanks for the explination. That is sure enough worrisome by itself. I
    guess we will need write a contract that that says home users who use
    the corporate VPN MUST have a firewall/antivirus/spyware on their home
    PCs and if there is a breach for lack of having said software THEY ARE
    RESPONISIBLE. They sign it and their manager signs it.

    Cant really do much else I guess.

    Gracias,

    P.
     
    , Sep 18, 2006
    #12
  13. Brian V Guest

    <> wrote in message
    news:...
    > Brian,
    >
    > Thanks for the explination. That is sure enough worrisome by itself. I
    > guess we will need write a contract that that says home users who use
    > the corporate VPN MUST have a firewall/antivirus/spyware on their home
    > PCs and if there is a breach for lack of having said software THEY ARE
    > RESPONISIBLE. They sign it and their manager signs it.
    >
    > Cant really do much else I guess.
    >
    > Gracias,
    >
    > P.
    >


    I never caught the begining of this thread....Is there a business need
    that you need to give them split-tunneling? If not, tough cookies for the
    end user. IMHO split-tunneling should never be allowed. I discourage all of
    my customers from using it.
    If there is a need for internet access while VPN'd I push the customer
    to buy a concentrator which will route the traffic while still securing the
    edge. The concentrators are a very cheap way of maintaining that security on
    the edge. List on a 3005 is 2995.00 I have also heard rumor that you can do
    this with Pix 7 by using the same-interface commands. I have not had the
    time to test this yet, so not sure if it works, definatley worth looking in
    to tho.

    -Brian

    -Brian
     
    Brian V, Sep 18, 2006
    #13
  14. Guest

    Hi Brian,

    The only business need is convenience (printing, shares, etc) The other
    thing going on is managements misunderstanding that something must be
    BROKE if they cant access both LANs while connected to the PIX via VPN
    Client. I have worked with concentrators at other jobs and they are
    great I agree, but this company is private so getting them to spend on
    security is a waste of time. In fact they see the whole IT department
    as a black hole. If they had their way we´d still be on Windows 98
    with Windows 3.1

    Cheers,

    P.
     
    , Sep 18, 2006
    #14
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. michael

    PPTP split-tunnel

    michael, Nov 13, 2003, in forum: Cisco
    Replies:
    1
    Views:
    4,079
  2. someone

    Split-tunnel on Pix

    someone, Dec 5, 2003, in forum: Cisco
    Replies:
    8
    Views:
    1,867
    Michael Gorsuch
    Dec 9, 2003
  3. a.nonny mouse
    Replies:
    2
    Views:
    1,189
  4. Replies:
    4
    Views:
    3,352
  5. Dumbell

    a split is not a split

    Dumbell, Mar 9, 2009, in forum: Computer Support
    Replies:
    3
    Views:
    682
    Keyser Söze
    Mar 9, 2009
Loading...

Share This Page