07-18-2003 04:54 AM - edited 02-21-2020 12:40 PM
Is it possible to send traffic from Cisco VPN clients to the Internet through the PIX firewall? I don't want to use split tunneling.
This is what is logged in the PIX:
106011: Deny inbound (No xlate) tcp src outside:x.x.x.x/3048 dst outside:y.y.y.y/23
x.x.x.x = VPN client pool
y.y.y.y = Server on the Internet
Can this be done at all or is there a limitation in the PIX firewall preventing this?
Thanks,
07-20-2003 06:06 PM
The PIX won't allow traffic to be routed out the same interface it came in on, that includes traffic coming in over a VPN tunnel and going back out unencrypted to the Internet.
You can do it if you follow this sample:
http://www.cisco.com/warp/public/110/client-pixhub.html
but it requires two external interfaces on the PIX (something you may not have), and with VPN clients the routing would be a nightmare, you'd have to add specific static routes for the VPN clients subnets, probably unworkable in the long run.
Short answer, no, you can't do it without doing split tunnelling. Keep in mind the VPN client has a built-in firewall in it now that will disallow any external connection from being accepted, negating most of the risks of split tunnelling. You can even have this firewall enabled all the time, even when the tunnel isn't connected, further securing your PC's.
08-28-2003 06:11 AM
Is it possible to disallow VPN clients that don't have the integrated firewall enabled to connect to the PIX?
I know this is possible with a VPN concentrator, but is this possible with the PIX firewall?
Thanks.
07-21-2003 07:46 AM
Although you can't do this directly you can if you have a proxy server on a dmz. In this case the client makes all it's connections to the proxy and the proxy makes all the internet connections. You don't then have to use split-tunnelling.
Andrew.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide