Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

External VPN Users Can’t Browse the Internet

Status
Not open for further replies.
TBenz345

TBenz345

MIS
Joined
Jun 16, 2003
Messages
9
Location
US

We have users who VPN into our site to gain access to internal resources. We would like to give them the ability to also browse the internet while they are doing work on our network. Our configuration is as follows…

Cisco 3640 External Router (Handles WAN connections)

Cisco 506 PIX Firewall (VPN Users terminate to this device due to its Radius support)

Do newer IOSs have better Radius support so we can terminate VPN users to the router?
Is there any way (without expensive additional hardware) to configure/reconfigure our systems to allow Internet browsing while VPN’ed into our corporate network?

Any suggestions/help/places to look/etc. are greatly appreciated!

TBenz345


 
Sort by date Sort by votes
I should also add that we are going to be upgrading to IOS 12.3 for the router shortly.... will that help us out?

TBenz
 
Upvote 0 Downvote
This is called split tunnelling. It's considered a bad idea, because in the event that any of your remote users get hacked, or pick up a trojan, you've just let that right onto your corporate network, as they have simultaneous internet access at the same time as access to your network. An attacker can tunnel off their machine right onto your network. So you've bought a Cisco firewall, but your perimeter network security relies entirely on the security on your remote users machines, they are the weakest link.

If you still want to do it, it's one command in the pix to enable it, but i'd basically say don't allow it. Laptop users get hacked a hell of a lot easier than a pix does. I've yet to hear a good argument for allowing split tunnelling.

CCNA, MCSE, Cisco Firewall specialist, VPN specialist, wannabe CCSP ;)
 
Upvote 0 Downvote
Could you point me to a document that has a good overview of split tunnelling (how it works, commands for it, etc.) and the potential security risks?

TIA
TBenz
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

B
  • Locked
  • Question Question
Cisco IP phone 7841 8851 unable to forward all to external number
Replies
0
Views
402
badwolf1686
B
woza
  • Locked
  • Question Question
GNS3: Delete the lines "transport preferred none"
Replies
1
Views
748
DrB0b
DrB0b
quazimotto
  • Locked
  • Question Question
Cisco ASA_5505 VPN to Juniper_SRX210 VPN IS UP_ No Traffic!!!!!!
Replies
0
Views
316
quazimotto
quazimotto
WinstonCH
  • Locked
  • Helpful tip Helpful tip
What is wrong with the diagram, there are people who will help to fix it? How do i do the configurat
Replies
1
Views
896
BIS
BIS
dchapman00
  • Locked
  • Question Question
Cisco 7961 external busy lamp
Replies
0
Views
204
dchapman00
dchapman00

Part and Inventory Search

Sponsor

Back
Top