how to allow the the vpn client allow to access the trusted zone plus suft internet?

Dear expert,

i have configured the cisco pix 515e to allow the range of ip address to access the tursted resource via the vpn connection...but once they get connected and cannot access internet...pls advise? thks

what is the actual function or responsible for split tunneling?


Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

You are on the right lines in that you need to configure split-tunneling. This tells the VPN client to encrypt only packets to the destination you define and all other packets are sent across the internet and not down the VPN.

If your network at work is on 10.0.x.x for example and the vpn group name is 'groupname' then you would add the following to the PIX.

access-list splitTunnelAcl permit ip any
vpngroup groupname split-tunnel splitTunnelAcl
You need to be carefull when doing this.   There are two ways to accomplish this.

First way is to allow the split tunnel.  However, this means that if the remote PC ic compromised, it can act as a router into your private network.  Which is NOT good.  In this situation you MUST make sure the remote PC is as protected as it can be and that the users are following documented prodcedures and guide lines for keeping their PC's safe.

The second way is to have the remote PC's access the Internet the same way the would in the office.  This makes the PC's a little safer, as they can't act as a router while connected to the VPN.  If they are compromise, it could be possible for somebody to put a program on the PC to change the routing tables to do the equalivent of a split tunnel, depending on if you are using a VPN client provided with your VPN server or if you are using the L2TP/PPTP/IPSec built into the operating system.  However this method increases the traffic over your internet connection, as when the remote user is accessing the Internet the traffic must flow over your Internet connection twice.

This is why most personal VPN's are setup NOT to allow the client to access the Internet while connected to the VPN.

Just as  F.Y.I. if your remember awhile back MS network was compromised.  I was compromised because an employees home PC was setup as so that it could access the Internet (using their home Internet connection) and MS's VPN at the same time and the PC was compromised in a way that it acted as a router between the Internet and MS private network.
> The second way is to have the remote PC's access the Internet the same way the would in the office.  This makes the PC's a little safer, as they can't act as a router while connected to the VPN

In order to do this with the PIX you will need to upgrade it to software version 7

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.