Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1182
Views
1
Helpful
7
Replies

VPN-client for internet-access on same interface?

maraz
Level 1
Level 1

‎08-02-2005 06:48 AM - edited ‎02-21-2020 01:53 PM

Hello,

This is from your release-notes:

"Version 7.0(1) improves support for spoke-to-spoke (and client-to-client) VPN communications, by

providing the ability for encrypted traffic to enter and leave the same interface. Furthermore, split-tunnel

remote access connections can now be terminated on the outside interface for the security appliance,

allowing Internet-destined traffic from remote access user VPN tunnels to leave on the same interface as

it arrived (after firewall rules have been applied).

The same-security-traffic command permits traffic to enter and exit the same interface when used with

the intra-interface keyword enabling spoke-to-spoke VPN support. For more information, see the

“Permitting Intra-Interface Traffic” section in the in the Cisco Security Appliance Command Line

Configuration Guide".

What are the commands to support a VPN-client where I want to route everything in the tunnel and have the internet-access out the same interface?

What do you actually mean by "split-tunnel" above? I thought the idea is to tunnel everything and then route the internet-traffic on the same interface?

Can I please have clarification on this one?

Best Regards

Robert Maras

Labels:
0 Helpful
7 Replies 7

jnaglich
Level 1
Level 1

‎08-02-2005 11:39 AM

While I haven't used Pix Version 7.0(1) yet, I believe the only parts of the configuration you're interested in for the page you supplied:

http://www.cisco.com/en/US/customer/products/hw/vpndevc/ps2030/products_configuration_example09186a008046f307.shtml

are the group policies and the VPN config (ISAKMP and IPSEC). A Pix split-tunnel is a way to allow VPN clients to use their normal internet connection to get to internet materials and only use the VPN tunnel for VPN traffic back to the internal network behind the Pix. If you're looking to route internet traffic out the Pix but from the VPN tunnel, the default route should take care of this once the VPN session is established.

The example from the above page shows how to route out the same interface into another VPN tunnel to a secondary site. That's what the additional access-lists are for. The split-tunnel config is to allow the clients to connect to the internet without using the tunnel at all. The group policies all security to be set for a group of people using the same VPN credentials. So, depending on what you'd like to do, you should be able to use all or some of these parts.

I hope this helps!

Jason

maraz
Level 1
Level 1
In response to jnaglich

‎08-02-2005 11:12 PM

Hello,

Sorry, but this does not answer my question. The releasenotes mentions "split-tunnel" AND traffic leaving the same interface. But the "intra-interface" option only mentions VPN to VPN traffic. So, I would like to have some clarification from Cisco on this!

Best Regards

Robert Maras

0 Helpful

johansens
Level 4
Level 4

‎08-04-2005 02:47 AM

Hi there Robert,

If you want an official feedback from Cisco, it's best to go through TAC and/or your CAM / local Cisco office.

These forums are a user-community, but some Cisco employees are some of the largest contributors.

Now for your questions;

The PIX and ASA-appliance doesn't support routing in and out the same interface. The deviation from this rule is as follows: If you are coming from a VPN tunnel and going to another VPN tunnel, this traffic can be allowed by using the "same-security-traffic permit intra-interface". As far as I know, this is ONLY for VPN to VPN.

Split-tunnel is when you allow your remote clients to use their local internet and lan connections. What's happening is that you specify exactly which traffic is going to enter the VPN, the rest is left to normal routing.

I do understand why you are asking, as the release notes could be read as "split-tunnel...terminated on the outside interface...leave on the same interface..." and be understood as this applies to the central firewall.. but AFAIK it doesn't.

To add to the confusion; The FWSM (firewall service module for the 6500-platform), which is in fact a big PIX-blade, does in fact allow for traffic to enter and leave the same interface, but it doesn't have support for VPN.. (this is left to the supervisor and/or VPN-modules) :)

Did it help?

0 Helpful

maraz
Level 1
Level 1
In response to johansens

‎08-05-2005 12:16 AM

Hello,

No that do not help. Because Cisco states "Enables remote-access VPN connections to be terminated on the

outside interface of a Cisco PIX Security Appliance, allowing

Internet-destined traffic from remote-access user VPN tunnels to leave

through the same interface it arrived at (after firewall rules, URL

filtering policies, and other security checks have been optionally

applied)".

So clearly Cisco writes that it should be possible.

Best regards

Robert Maras

0 Helpful

johansens
Level 4
Level 4
In response to maraz

‎08-06-2005 05:41 AM

Hi again,

Well.. they wrote the statement you are referring to in the datasheet:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_data_sheet0900aecd80225ae1.html

so maybe the marketing department made an error, because all the release-notes, configuration and command references says it's only VPN to VPN... More specifically:

http://www.cisco.com/en/US/products/ps6120/products_configuration_guide_chapter09186a0080450beb.html#wp1042114

"The security appliance includes a feature that lets users on the same subnet send IPSec-protected traffic to each other. It does so by allowing such traffic in and out of the same interface. This is called hairpinning."

....

"You use the same-security-traffic command, but with the inter-interface argument, to permit communication between interfaces that have the same security level. This feature is not specific to IPSec connections. For more information, see the "Configuring Interface Parameters" chapter of this guide."

So this indicates the intra-interface is specific to IPSec connections.

I understand you would like an clarification on this. Run it by Cisco and tell us about what they said.

In the mean time, has anyone actually tried this, ie. running the traffic out the internet-interface again? I don't have access to my lab right now, so I can't really check myself..

Did it help?

0 Helpful

6mraddie
Level 1
Level 1
In response to johansens

‎08-08-2005 03:36 PM

The only way I have found to apply our web access policies (url, acl etc) is to get vpn users to use a proxy server on the inside. Non vpn traffic will not go back out of the vpn (prob. outside) interface.

Split tunnelling is just used to tell the vpn client which destinations need encrypting and which can go direct.

0 Helpful

maraz
Level 1
Level 1
In response to 6mraddie

‎08-08-2005 10:05 PM

Hello, Everybody!

I have finally been able to test it. And the thing that made it work is actually the "same-security-traffic permit intra-interface"-command.

Best Regards

Robert Maras

0 Helpful
Customers Also Viewed These Support Documents