Sending traffic from VPN clients through the PIX to the Internet

elipschutz · ‎07-18-2003

Is it possible to send traffic from Cisco VPN clients to the Internet through the PIX firewall? I don't want to use split tunneling.

This is what is logged in the PIX:

106011: Deny inbound (No xlate) tcp src outside:x.x.x.x/3048 dst outside:y.y.y.y/23

x.x.x.x = VPN client pool

y.y.y.y = Server on the Internet

Can this be done at all or is there a limitation in the PIX firewall preventing this?

Thanks,

gfullage · ‎07-20-2003

The PIX won't allow traffic to be routed out the same interface it came in on, that includes traffic coming in over a VPN tunnel and going back out unencrypted to the Internet.

You can do it if you follow this sample:

http://www.cisco.com/warp/public/110/client-pixhub.html

but it requires two external interfaces on the PIX (something you may not have), and with VPN clients the routing would be a nightmare, you'd have to add specific static routes for the VPN clients subnets, probably unworkable in the long run.

Short answer, no, you can't do it without doing split tunnelling. Keep in mind the VPN client has a built-in firewall in it now that will disallow any external connection from being accepted, negating most of the risks of split tunnelling. You can even have this firewall enabled all the time, even when the tunnel isn't connected, further securing your PC's.

elipschutz · ‎08-28-2003

Is it possible to disallow VPN clients that don't have the integrated firewall enabled to connect to the PIX?

I know this is possible with a VPN concentrator, but is this possible with the PIX firewall?

Thanks.

andrew.burns · ‎07-21-2003

Although you can't do this directly you can if you have a proxy server on a dmz. In this case the client makes all it's connections to the proxy and the proxy makes all the internet connections. You don't then have to use split-tunnelling.

Andrew.