VPN Pix problem accessing outside

Discussion in 'Cisco' started by mohnkern@gmail.com, Aug 24, 2006.

  1. Guest

    Having a weird problem. We've got a person who is vpning into our Pix
    firewall, and they can then connect to any server inside the firewall,
    but cannot connect to anything outside the firewall. I'm sure its an
    easy configuration issue, just haven't dealt with the VPN side of PIX
    firewalls before.
     
    , Aug 24, 2006
    #1
    1. Advertising

  2. Chad Mahoney Guest

    wrote:
    > Having a weird problem. We've got a person who is vpning into our Pix
    > firewall, and they can then connect to any server inside the firewall,
    > but cannot connect to anything outside the firewall. I'm sure its an
    > easy configuration issue, just haven't dealt with the VPN side of PIX
    > firewalls before.


    Google split tunneling

    http://www.cisco.com/en/US/products...figuration_guide_chapter09186a0080172787.html
     
    Chad Mahoney, Aug 24, 2006
    #2
    1. Advertising

  3. In article <>,
    <> wrote:
    >Having a weird problem. We've got a person who is vpning into our Pix
    >firewall, and they can then connect to any server inside the firewall,
    >but cannot connect to anything outside the firewall. I'm sure its an
    >easy configuration issue, just haven't dealt with the VPN side of PIX
    >firewalls before.


    You need to use the split-tunnel clause in your vpngroup
    configuration. The ACL you name there should match all the traffic
    that *should* go through the VPN, and should be in the same source/
    destination order as you would use for a crypto map.

    Note that the security implications of this should be considered.
    If someone takes over the remote computer, such as via a virus or
    trojan, then if you allow their system to talk to the outside world
    at the same time you allow them to connect to your inside, then
    someone remotely could use their active connection to real-time
    remotely control their system in order to get at your LAN.
     
    Walter Roberson, Aug 24, 2006
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Jeff
    Replies:
    2
    Views:
    735
  2. Clemens Schwaighofer
    Replies:
    7
    Views:
    4,473
    Walter Roberson
    Jun 13, 2005
  3. Replies:
    1
    Views:
    637
  4. Jack
    Replies:
    0
    Views:
    704
  5. kyoo
    Replies:
    22
    Views:
    2,095
    Aceman
    Apr 12, 2008
Loading...

Share This Page