We have a PIX 515 where users connect via VPN Client to access the LAN
in our home office. It works just fine. We (Admins) have never wanted
to let users have access to their local LAN while connected to the home
office. We were able to convince management this was the right way to
do things....until now.

It seems users need to access their local LAN while connected via VPN
Client and according to new management it is HIGH PRIORITY. FIX IT!

Its not broke we say...whatever, we lost.

I have tried these changes:

access-list vpnlist permit ip 10.1.1.0 255.255.255.0 any
vpngroup vpn3000 split-tunnel vpnlist

Where 10.1.1.x is the LAN at my house.

I successfully connect to the PIX with VPN Client and have access to my
local LAN but no acces to office LAN.

What am I doing wrong?

More info:

The PIX hands out to VPN Clients IPs that are on the same network as
the home office network. Does this complicate matters?

Thanks,

P.

In article <1158256480.993091.213110@i42g2000cwa.googlegroups .com>,
<nt_pete@hotmail.com> wrote:
the access-list for a split-tunnel needs to be written as if the
source is the traffic on the PIX side, and the destination is
the PC side.

Yes: it only works if the PIX proxy-arps those IPs on the
inside network and has a host-specific route sending them out the
interface the VPN is connected to. proxy-arp is unreliable, and
proper construction of that host-specific route is too. It is usually
much easier to put the VPN client addresses into a different IP
range and then it all happens naturally by normal routing.

Walter,

Thanks for the quick reply. So it looks like I need to:

1. Create new VPN group
2. Make sure new group recieves different network from home office
3. New group should use home DNS/WINS
4. Create the access list for home network
5. Include the split tunnel coamnd for new VPN group.

Anything else?

Thanks again,

P.

In article <1158261026.613045.309590@d34g2000cwd.googlegroups .com>,
<nt_pete@hotmail.com> wrote:

That's probably for the best. Don't give the split tunnel to
people who don't need it.

Is there a good reason that they need to use the home DNS?
Your HQ is probably better protected against DNS poisoning
and such. But moreso, those users are probably going to expect to
resolve your internal hostnames, which you probably shouldn't publish
to the outside world, so you probably want them to resolve through
the HQ DNS.

Similarily, you probably need to use the HQ WINS: if you need
WINS at all in your network then your users are going to expect to
be talking to your inside devices, which had better not work if
they are using an external WINS.

"Walter Roberson" <roberson@hushmail.com> wrote in message
news:NbiOg.554151$IK3.69792@pd7tw1no...
Wouldn't you also need to add nonat between the internal networks and the
VPN Client pool.

Regards

Darren

This is still not working. These are the changes:

access-list vpnlist permit ip 10.1.1.0 255.255.255.0 10.31.79.0
255.255.255.0
vpngroup test split-tunnel vpnlist
vpngroup test address-pool newpool
vpngroup test default-domain bubba.ws
vpngroup test idle-time 1800
vpngroup test password curveball
ip local pool newpool 10.100.100.240-10.100.100.250

Where 10.1.1.x is the main office LAN and 10.31.79.x is the users home
LAN.

I connect but no traffic goes into main office LAN. Client has no
default gateway assined for the DHCP assigned (10.100.100.x) IP
address.

WHats wrong?

In article <1158519477.728470.299560@i42g2000cwa.googlegroups .com>,
<nt_pete@hotmail.com> wrote:
You are using vpngroup with an 'address-pool' clause, so the link
is assigned an ip in the newpool range. The destination part of
your vpnlist split tunnel should reflect that range; also, as was
raised by the other poster, you should make sure that your
nat (inside) 0 access-list has a line the same as your vpnlist line.
[Don't reuse access-lists, though: copy the line.]

OK. That did it. Many thanks especialy to Walter.

I will try and argue our point to management that this is unwanted
behavior. Anyone know where I might find a list of good reasons why
split-tunnel is a bad idea?

Again Thank you for all the help. I appreciate it very much.

P.

<nt_pete@hotmail.com> wrote in message
news:1158524948.876182.82540@h48g2000cwc.googlegro ups.com...
For every split tunnel you allow you have punched a wide open hole in your
firewall policy, might as well just add a permit ip any any in it. Your edge
is no longer protected by the corporate firewall systems and is now reliant
on the security that the end user has if any at their home, starbucks, and
wifi zone etc. VERY bad policy to allow split tunneling.

OK. I want to understand this.

Are we saying that the traffic to and from the VPN client from users
home/remote/starbucks etc. LAN is going unencrypted to the main office?
In other words plain text over the Internet?

Thanks,

P.

<nt_pete@hotmail.com> wrote in message
news:1158534746.108330.212660@d34g2000cwd.googlegr oups.com...
Not at all, got nothing to do with encryption, clear text...nothing like
that at all.

1, You have your internet at your corp, your internals are protected by your
firewall
2, No one from the internet can get in to your corp LAN because of that
firewall.
3, You punch a couple holes in the firewall to allow VPN users to connect.
Still secure, username/password/certificate/whatever protected.
4, A user without split tunnel conntects to your systems. His local internet
connection is essentially terminated because your VPN policy says, hey, you
can only talk to me, no one else, all traffic must be sent to me and all
traffic you recieve will be from me. Still secure.
5, You allow a user to conect with a split tunnel policy. You VPN system
says, hey, only send me the traffic destined for me, all other traffic use
your local internet connection. What this does is let Joe Hacker come in
thru the internet on to that users PC, bang, he's got a pipe right in to
your corporate infrastructure.

Brian,

Thanks for the explination. That is sure enough worrisome by itself. I
guess we will need write a contract that that says home users who use
the corporate VPN MUST have a firewall/antivirus/spyware on their home
PCs and if there is a breach for lack of having said software THEY ARE
RESPONISIBLE. They sign it and their manager signs it.

Cant really do much else I guess.

Gracias,

P.

<nt_pete@hotmail.com> wrote in message
news:1158571165.611803.36970@d34g2000cwd.googlegro ups.com...
I never caught the begining of this thread....Is there a business need
that you need to give them split-tunneling? If not, tough cookies for the
end user. IMHO split-tunneling should never be allowed. I discourage all of
my customers from using it.
If there is a need for internet access while VPN'd I push the customer
to buy a concentrator which will route the traffic while still securing the
edge. The concentrators are a very cheap way of maintaining that security on
the edge. List on a 3005 is 2995.00 I have also heard rumor that you can do
this with Pix 7 by using the same-interface commands. I have not had the
time to test this yet, so not sure if it works, definatley worth looking in
to tho.

-Brian

-Brian

Hi Brian,

The only business need is convenience (printing, shares, etc) The other
thing going on is managements misunderstanding that something must be
BROKE if they cant access both LANs while connected to the PIX via VPN
Client. I have worked with concentrators at other jobs and they are
great I agree, but this company is private so getting them to spend on
security is a waste of time. In fact they see the whole IT department
as a black hole. If they had their way we´d still be on Windows 98
with Windows 3.1

Cheers,

P.