PIX VPN/SPLIT-TUNNELING

I currently have a situation where I have a site to site (and remote users tunnels)  tunnel between two pixes with split tunneling enabled so that remote users can go to the internet instead of the through the tunnel.  However, we would like to change that and have all internet traffic/requests from both pixes enter and exit one pix and only that pix will be the egress/ingress point for internet traffic.  Documentation links/configs on how this is done would be greatly appreciated.

Thanks,
raysharmaAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Phil_AgcaoiliCommented:
OK, SPLIT TUNNELING IS BAD. Don't do it.
Sorry to yell, but when a user is VPNed into work, you don't want someone else to piggyback from his connection into your network.  

Split tunneling is general is a bad idea because you are relying on the end user to be secure. Most users will not likely use due diligence to ensure they are not surfing the Web while accessing the corporate LAN.

But if you've been reading, this is how Microsoft got hacked a few years ago. MS developer at home,VPNS into MS, gets nailed with QAZ, attacker rides along with Developer to access MS network, and steals parts of Longhorn.

Here's Microsoft's take on split tunneling:
http://www.microsoft.com/technet/community/columns/cableguy/cg1003.mspx#EBAA
http://www.isaserver.org/tutorials/VPN_Client_Security_Issues.html

A majority of us security practitioners recommend that you do not allow split tunneling.
0
lrmooreCommented:
>we would like to change that and have all internet traffic/requests from both pixes enter and exit one pix and only that pix will be the egress/ingress point for internet traffic
No can do, my friend. Problem is in the way the PIX was designed. Traffic cannot arrive on one interface and be redirected back out that same interface. For example, if a user requests www.google.com, split-tunneling is disabled, that request gets tunneled down the VPN arriving on the PIX outside interface. The destination would dictate that the pix send it out to its default gateway - right back out the arriving interface - which simply will not be allowed.

Something to keep in mind if you are using Cisco VPN client and have split-tunneling enabled as you do not - the VPN client has a built-in firewall that will prevent that host from becoming a pass-through to your network. If you choose to upgrade to a VPN3000 concentrator, then you can do exactly what you want, and have even finer control over the VPn client.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
pazmanproCommented:
lrmoore is correct. The PIX cannot route traffic on the same interface. If you want remote VPN users to be able to browse the internet without split tunneling, then you can use a proxy server on the inside (or dmz) and have the users use that as their proxyserver to the Internet.
0
raysharmaAuthor Commented:
Thanks to all.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.