Regarding Easy VPN Policy

Unanswered Question
Jan 6th, 2009

Dear Team,

1.When the easy VPN client gets connected to Easy VPN server,the client can access internet as well as network behind VPN server(if split tunnelling is enabled).It means if anyone on internet has compromised the VPN client system then he can get into the VPN server network which is risky.

In checkpoint we have option of using Secure client VPN in which once VPN client established the VPN tunnel,One Desktoppolicy gets pushed to VPN client system(apart from assigning an IP address to the VPN client by VPN gateway).This Desktop policy will have rules which will mention about the access the VPN client system can have.These rules will normally enables access from VPN client to anywhere which will include network behind VPN gateway aswell as internet,But there will normally be rule which will saythat anything initiated from internet to VPN client system is blocked.So this way the VPN client system is secured.

But I have not seen such configuration in Cisco PIX.In PIX we will simply enable IKE,IPSec and then once the VPN client system gets connected it will get the IP address from the VPN server.

2.One more question if I am accessing VPN server from Home--when The easy VPN client gets connected to VPN server..Then as we know we can access internet as well as network behind VPN server..Whether to access both these networks I will be using the same Public IP address(which is provided to me by the service provider) OR automatically the service provider will use different public IP for accessing the VPN tunnel and different IP for accessing internet.I believe it should be the same IP address--m I right?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Ivan Martinon Fri, 01/09/2009 - 16:22

First question depends on the version of code that your pix is running, if code is 7.x and later you do have the firewall policy feature on the group policy for the ezvpn (vpn client) and from there you can chose to send rules based on ACEs that you define on the firewall.

http://www.cisco.com/en/US/docs/security/asa/asa70/command/reference/c.html#wp1966530

On versions prior to 7.x namely 6.x and before these are not avaiable options.

Second question, depends on the point of view:

For plain text traffic namely internet traffic you will use the address assigned by the provider.

For the VPN we have 2 points of view, from vpn client to vpn server you will only see traffic coming from your ISP public address of the client to the Public address of your Firewall, now if what you mean is with what ip address will you access the network behind the VPN server then it is with the address that your VPN server assigned to your client.

Actions

This Discussion