s9
asked on
VPN split tunneling - real risks or not?
We have a Cisco PIX 515, with a remote client VPN set up.
My clients complain that they cannot access the internet when connected to the VPN, however I am being asked not to enable split tunneling as this poses too much of a security risk. Is this really the case?
Is there any way of either:
1. Telling the PIX how to route requests coming from VPN clients for www adresses
2. Setting up some static routes on the users PC's instead of using split tunneling
Thanks in advance
My clients complain that they cannot access the internet when connected to the VPN, however I am being asked not to enable split tunneling as this poses too much of a security risk. Is this really the case?
Is there any way of either:
1. Telling the PIX how to route requests coming from VPN clients for www adresses
2. Setting up some static routes on the users PC's instead of using split tunneling
Thanks in advance
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
jjoseph_x - sounds like a good idea using a proxy on the inside. So I forward all upstream HTTP & HTTPS requests to the PROXY and it then creates teh route out. I will try it & award points if it works!
Thanks for your time
Thanks for your time
No problem.
War, this should not be deleted....the question was answered...points should go to jjoseph and tmehmet
Asker never came back to report if jjoseph_x suggestion worked for his specific problem.
That does not negate the fact that the question was correctly answered......many questioneer walk away after getting a solution...without coming back. When the question has obviously been answered, the expert(s) should get the points.
I agree with JConchie (and not because I want the points). I believe that the question was answered correctly (because is you've either got to use a split tunnel or setup a proxy in the senario that he described... there's no way around it). Of course it's also very possible that it's infeasible for him to use a proxy server for his clients... so the anwer still might not have suited him.
If you decided that the question is unanswered then I think that you really ought to refund S9's points. However, since I think that it was answered, I think that you should force an accept and split the points among all those who answered.
If you decided that the question is unanswered then I think that you really ought to refund S9's points. However, since I think that it was answered, I think that you should force an accept and split the points among all those who answered.
BTW thanks JConchie.
The question asked if split tunneling is an issue, it most certainly is an issue and his (boss i assume) has told him not to allow it hence he asked for an opinion from experts exchange.
We have answered the question.
We have answered the question.
Ok! Moderator, please change recommendation to
Split: jjoseph_x and tmehmet
Split: jjoseph_x and tmehmet
Add their own isp dns servers as additional dns servers, after your internal...and they will be able to access the internet when not connected to the vpn.