Security Risks for Allowing Local LAN Access for VPN Clients

Harold Giles · ‎08-28-2008

What are the security risks for allowing local LAN access through a Cisco ASA 5500 for printing purposes?

andrew.prince · ‎08-28-2008

For printing none.

Is there a particular reason for encrypting ALL traffic over the remote VPN, and allow local LAN access?

You could just configure splittunneling and encrypt only the internal traffic to the subnets required?

HTH>

dianewalker · ‎08-31-2008

Andrew,

When you setup Split Tunneling and encrypt only the internal traffic, do you also include the WINS servers, DNS servers, and Radius servers in addition to your file sharing server or do you only include the file sharing server? The users only need to access one file sharing server and nothing else.

Thanks.

Diane

andrew.prince · ‎08-31-2008

Diane,

As a rule of thumb, I generally ecnrypt all data to the internal subnet - we have planned our use of IP addressing, as a result we use the 10/8

As the majority of cable/adsl modem vendors tend to use the 192.168/16 or 172.16/19 addressing from RFC1918 - it's simple.

For you I would add the subnets (if not on a single common subent) for:-

1) DNS - they will need this to browse the internet via there own internet connection.

2) WINS - if they have an old OS, if XP and above - not required.

3) File Sharing server IP address.

HTH>