Site-to-site - no split tunnel?

[stakano]

I'm looking to disable split tunnelling when there is a site-to-site tunnel between PIX's.

Is there a command that would not allow split tunnel? Or is it just a matter of applying an access-list on the inside to permit only VPN encrypted traffic to the hub site, and deny the rest?

 

[tbissett]

Configuring a site-to-site VPN tunnel on the PIX involves defining what traffic needs to be encrypted, so by it's very nature, it is a split tunnel. I'm not sure if you could define a network 0.0.0.0/0.0.0.0 as interesting traffic, but give it a try.

The other alternative is to configure your VPN device with the EzVPN feature in Network Extension Mode. EzVPN turns the remote endpoint into a VPN hardware client, and NEM still gives you the site-to-site capabilities. Configuring it this way would give you a full tunnel (it can also do split, in case you were wondering).