JesusFreak42
asked on
Split Tunneling on Cisco ASA VPN Behind Sonic Wall
Hello all,
I will be helping a friend tomorrow try to figure something out and wanted to see who could help out. Basically, they have a function Cisco ASA VPN behind a sonic wall Firewall. The Cisco was left in place because there were 3-5 users who still use it regularly and because they need it for their VoIP licensing. I am not sure how the two are connected at this point (port forwarding or proxy arp or what). But here are some basic questions we need some advice on:
1) Is there anything inherently insecure about enabling Split-Tunneling in this situation? Why or Why not?
2) Can Split Tunneling be setup on a per user basis, or can it only be enabled for everyone who uses the VPN?
3) How does one configure Split Tunneling using the CLI?
4) And Finally, is there any reason, besides licensing costs, that we shouldn't just stop using the ASA for VPN and switch to just using the Sonic Wall?
Thanks!
I will be helping a friend tomorrow try to figure something out and wanted to see who could help out. Basically, they have a function Cisco ASA VPN behind a sonic wall Firewall. The Cisco was left in place because there were 3-5 users who still use it regularly and because they need it for their VoIP licensing. I am not sure how the two are connected at this point (port forwarding or proxy arp or what). But here are some basic questions we need some advice on:
1) Is there anything inherently insecure about enabling Split-Tunneling in this situation? Why or Why not?
2) Can Split Tunneling be setup on a per user basis, or can it only be enabled for everyone who uses the VPN?
3) How does one configure Split Tunneling using the CLI?
4) And Finally, is there any reason, besides licensing costs, that we shouldn't just stop using the ASA for VPN and switch to just using the Sonic Wall?
Thanks!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Heres the link (I was concentrating more on getting a coffee earlier sorry!)
Cisco ASA - Remote VPN Client Internet Access
Cisco ASA - Remote VPN Client Internet Access
You are welcome Pete! Great article! (I am MrHusy, been long time! :) )
You know it is enough for a client to be on the unfiltered Internet just for some period in order to get infected so you should basically eliminate the chances of evading the VPN client. Unfortunately Cisco is not good at VPN Client softwares (much better with Anyconnect but still...), features like forced reconnect and auto connect on startup are easily alterable. Built-in VPN clients in OSes gives the option of unchecking using default gateway.
I have worked in a project where 600+ payment IBM kiosks were connected via VPN client. That was one of the times where we needed the security of full tunnelling and I had to go to the extremes of user restrictions,scripting, programming and GPOs (you know how cumbersome to maintain GPOs on RA VPN clients) in order to prevent the user evade the VPN client and reach unfiltered Internet.
So the full tunneling is secure if it is properly forced. A properly forced tunnel renders the client computer a restricted dummy platform.
You know it is enough for a client to be on the unfiltered Internet just for some period in order to get infected so you should basically eliminate the chances of evading the VPN client. Unfortunately Cisco is not good at VPN Client softwares (much better with Anyconnect but still...), features like forced reconnect and auto connect on startup are easily alterable. Built-in VPN clients in OSes gives the option of unchecking using default gateway.
I have worked in a project where 600+ payment IBM kiosks were connected via VPN client. That was one of the times where we needed the security of full tunnelling and I had to go to the extremes of user restrictions,scripting, programming and GPOs (you know how cumbersome to maintain GPOs on RA VPN clients) in order to prevent the user evade the VPN client and reach unfiltered Internet.
So the full tunneling is secure if it is properly forced. A properly forced tunnel renders the client computer a restricted dummy platform.
:)
Some experts will disagree about the security of split tunneling - local internet connection is disabled for a reason, an infected remote client with malware on it that's VPN'd in without NAC for example now can connect to the internet unfiltered and connect to your coprporate network.
For that reason I prefer 'forced tunnelling' use the search on the above site I've written about that as well
Pete