Q: PIX VPN Client Pool /Split-Tunnel 1

[azstyx]

Scenario: small business network, 25 users, pix 506e.
Inside network: 192.168.105.0/24, 192.168.151.0/24
no routers, all devices connected to the same Netgear switch.
Critical PIX configs:
access-list vpn_nonat permit ip any 192.168.151.0 255.255.255.0
ip address inside 192.168.105.1 255.255.255.0
ip local pool corppool 192.168.151.1-192.168.151.50
global (outside) 1 interface
nat (inside) 0 access-list vpn_nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
vpngroup corpvpn split-tunnel vpn_nonat

Q1: Will this work correctly if the vpn client pool is a differnet network than what the PIX resides on? In this case the inside address of the PIX is 192.168.105.1 but the client vpn pool is defined on a different network 192.168.151.0?

Q2: access-list vpn_nonat permit ip any 192.168.151.0 255.255.255.0
Here I am defining the interesting traffic that needs to be encrypted so I am saying any packets from ANY source with destination 192.168.151.0 must be encrypted.
Is it OK or prudent to use the ANY? Should I specifically define a "source" network?
What is the impact on the split-tunnel?
How does the split-tunnel work with the PIX (done it with vpn3000 and know how that works and configures)?
i.e. if i am a dialup user and get an ip address of 66.10.10.35 and then i connect to the pix and get a client ip address of 192.168.151.1, how does split-tunnel work?
What if the corp network had nets 10.0.0.0 and 172.16.0.0 too and i wanted any traffic going to 192.168.0.0, 10.0.0.0 and 172.16.0.0 to be encrypted and go through the vpn tunnel but all other traffic be routed to my local internet connection?
THX folks for any opinions or suggestions,

 

[yizhar]

HI.

> Inside network: 192.168.105.0/24, 192.168.151.0/24
> no routers, all devices connected to the same Netgear switch
So how exactly do you have 2 different subnets?
Or is 192.168.151.0 used for remote VPN clients ONLY?
Please provide more details about those 2 subnets.

> Q1: Will this work correctly if the vpn client pool is a differnet network than what the PIX resides on
This is OK. Actually - the vpn pool must not conflict with the internal subnet. This helps both the pix and internal hosts to distinguish between real internal hosts which will be accesses using ARP, and vpn clients which will be accessed via the pix.
The pix should be the default gateway of all internal hosts (when there is no other internal router in the path).

> Q2: access-list vpn_nonat permit ip any 192.168.151.0 255.255.255.0
> Is it OK or prudent to use the ANY? Should I specifically define a "source" network?
It is OK, but you can also specify the source network as 192.168.105.0 255.255.255.0 . I usually do that.

> How does the split-tunnel work with the PIX
It is similar to the VPN concentrator. The pix pushes that info to the VPN client, and the client uses that access-list (in reverse order of source-dest) as the "interesting traffic" that should be tunneled, versus other traffic sent in clear text to the ISP.

> What if the corp network had nets 10.0.0.0 and 172.16.0.0 too
Same idea.

Bye


Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[azstyx]

THX for the info Yizhar,
I just opened a support TACS case on a different PIX VPN issue and I discussed these questions with tha Cisco engineer.
Cisco basically said the same as you:
They recommend that your client pool is a different subnet that what the inside address resides in, especially if you are in a medium or large network. Its ok in a small soho environemnt but you could use up your address quickly having a pool.
They also recommended that you create a separate access list for the split-tunnel and list all the networks that you want to force through the tunnel such as RFC1918 nets.
THX,
Keith