Just Say No tp Split Tunneling

[maynarja]

I must be missing something obvious.

I am trying to force all traffic throught the tunnel (internet and local traffic). I do not want to use split tunneling which works fine.

pfSense --- vpn remote network = 0.0.0.0 0.0.0.0
PIX ----- IPsec Rule = 0.0.0.0 0.0.0.0 with destination 10.1.1.0 255.255.255.0

I can get to everything into the core network and all subnets even if I add RRI on the PIX still I get no internet.

 

[BuckWeet]

with PIX you MUST split tunnel..

In your scenario you would go into the PIX and come back.. for traffic to flow properly with a PIX you must flow through the pix..


BuckWeet

 

[maynarja]

Maybe I should clear up what I meant or maybe you fully got it and I do not.

Site to Site
Users ---> pfSense ----> Internet <----- PIX <---- CORP-Net

I want users on the pfSense side to have all traffic flow through the tunnel including internet traffic and then through the PIX.

Currently users on the pfsense side go to the PIX only for corporate network data but go through the internet at the pfSense side. pfSense is Split Tunneled

I have tried to tell both PIX and pfSense to send 0.0.0.0 through the tunnel.

For ex: pfsense 0.0.0.0 traffic go to PIX
PIX the sends 0.0.0.0 with destination pfsense back through the tunnel.

Result is I cannot surf the internet on the pfSense side.
Even if I inject the route I cannot make the traffic come back.

 

[maynarja]

Maybe I should clear up what I meant or maybe you fully got it and I do not.

Site to Site
Users ---> pfSense ----> Internet <----- PIX <---- CORP-Net

I want users on the pfSense side to have all traffic flow through the tunnel including internet traffic and then through the PIX.

Currently users on the pfsense side go to the PIX only for corporate network data but go through the internet at the pfSense side. pfSense is Split Tunneled

I have tried to tell both PIX and pfSense to send 0.0.0.0 through the tunnel.

pfsense 0.0.0.0 traffic go to PIX
PIX them sends 0.0.0.0 with destination pfsense back through the tunnel.

Result is I cannot surf the internet on the pfSense side.
Even if I inject the route I cannot make the traffic come back.

 

[lgarner]

If your FOS version is 6.x it won't work.

I understand that version 7 can do this, but I haven't used it so I can't help with the configuration.

 

[maynarja]

It is 7.x and I will figure it out and post the result unless someone posts it before I get the chance.

 

[NetworkGhost]

Try this:
same?security?traffic permit intra?interface

That should remedy your situation.

Free Firewall/Network/Systems Support-

http://firewalls.ath.cx

 

[maynarja]

Correct me if I am wrong.

PIX Config
access-list IPSEC_21 permit ip 0.0.0.0 0.0.0.0 10.2.2.0 255.255.255.0
same-security-traffic permit intra-interface


pfSense
remote 0.0.0.0 0.0.0.0
remote gw [staticPublicIP]

use 0.0.0.0 0.0.0.0 to force all traffic through the tunnel?
use "same-security-traffic permit intra-interface" to allow all traffic to return out the same interface it is recieved?

 

[NetworkGhost]

Yes "same-security-traffic permit intra-interface" will allow traffic to be routed out the same interface it came in on.There are a few other setting you will need. You will need to translate the VPN clients. This can be done by the nat and global statements:

nat (outside) 8 192.168.xxx.0 255.255.255.0
global (outside) 8 interface

192.168.xxx.0 would be the range you are using for VPN clients.

You will also need to define a default route for VPN clients.

route outside 0.0.0.0 0.0.0.0 tunneled

Disable split tunneling if you want all traffic to flow through the VPN. If you still have problems post your scrubbed config.

Free Firewall/Network/Systems Support-

http://firewalls.ath.cx

 

[NetworkGhost]

May also need the "sysopt connection permit-vpn" if you arent explicitly allowing this traffic.

Free Firewall/Network/Systems Support-

http://firewalls.ath.cx