Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

ASA 5510 split-tunneling with ssl vpn

Status
Not open for further replies.
burtsbees

burtsbees

Programmer
Jan 29, 2007
7,657
0
0
US
Are there really any issues these days with split tunneling in an ASA 5510 with a good firewall config behind it? The only issue I ever knew of with split tunneling was that a vpn connected user would then also be connected to the insecure network known as the internet, and could potentially be a gateway for a hacker/cracker to jump through the vpn...

Burt
 
Sort by date Sort by votes
Upvote 0 Downvote
Actually, maybe there's an ssl angle that I missed...as far as I can tell, the only difference between a regular remote-access vpn and an ssl vpn is the way they authenticate (like username/password), and the ssl vpn seems more user friendly and there is no need to install the Cisco VPN Client on each machine (it gets installed through the web vpn). Is this all correct?
Our users where I work are now going to connect to the company vpn via ssl vpn configured in a new ASA 5510, and some were not able to connect to the internet (to still receive emails, mainly) when connected to the VPN. The document you provided seems very similar to the "include-local-lan" command under the "crypto isakmp client configuration group" command in a router when configuring a remote-access vpn in a router. I advised that they do not split-tunnel, but was really unaware of an alternative. Thanks for the response.

Burt
 
Upvote 0 Downvote
Burt,

Be cautious when you say "difference...is they way they authenticate". All the VPN types can use the same methods to authenticate, like RADIUS, TACACS+, LDAP, etc.

That said, SSL VPN users often authenticate at the ASA's webpage, but if you have a profile configured locally you can connect an AnyConnect client without needing to browse to the ASA. Meanwhile, IPsec client users must authenticate within the IPsec client.

We had a discussion about the different types of VPN, here:

"include-local-lan" looks like the same thing to me. Referenced here:



Matt
CCIE Security
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
140
Sameer258
Sameer258
intel233
  • Locked
  • Question
Cisco ASA 5510 -Static NAT Help
Replies
8
Views
156
intel233
intel233
intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
146
intel233
intel233
intel233
  • Locked
  • Question
ASA5510 - SSL Cert
Replies
0
Views
89
intel233
intel233
Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
167
Shmid
Shmid

Part and Inventory Search

Sponsor

Back
Top