Do you recommend slit tunneling VPN? I would like to establish a site to site vpn between a remote office to HQ and users can access the internet at their site. Or is it better to have internet access at HQ site?
I'm a big fan of split tunneling. Biggest reason is that if you don't you are going to send all your web traffic through an encrypted tunnel back to HQ. That will render slow internet speed, etc. If corporate internet usage policy, and user web surfing, etc. is not an issue, I'd use the split tunnel and be done with it.
itis basically a security issue agaiunst performance.
Performance: Internet access by the tunnel will require packet encryption, decryption at the other end, proxy from the serve if you are using a Proxy etc. Depending of the Internet traffic ( as it is used as the transport for the VPN ) .. user might experience some delays when loading pages.
Security: In the other hand if you users connect directly to the internet and at the same time have a tunnel to your HQ .. if those systems get compromise from an Internet attack .. then your whole infrastructure will be at risk also.
So as you can see there is advantages and disadvantages when using Spli tunnel ... at the ned of the day it is the customer's call and your as IT person.
Another thing to keep in mind is if your remote users require local access to another network feature (say printer servers or any other locally situated network device). then split tunneling will be needed. But as the others said it opens your devices to attack by using Split tunneling. If you do not use split tunneling then corporate hold all the responsibility for protecting you as well as themselves. It also may be an issue with your auditors. You may not pass your audit if you are running split tunneling.....
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :