[wplug] ssh with VPN question
Brian A. Seklecki
bseklecki at collaborativefusion.com
Mon Mar 22 09:45:56 EDT 2010
On Fri, 2010-03-19 at 21:31 -0400, Rick Reynolds wrote:
> I may just live with the slowness. I could change my local network to
> something else, but I want to think about that a bit more before
> trying that.
Cisco introduced split tunnel ACLs to fix this.
You pass an IP extended access list along with the policy.
Coincidentally, on my agenda this week is to test IPv6 ACLs in
combination with v4 ACLs in ESP tunnels on the latest PIX 8.x
They also have a "enable local LAN" flag that the client can request and
the server can approve that will exempt locally connected subnet
destinations from cross-tunnel forwarding if they match the policy ACL
(The trick is: Cisco client will normally default behavior and fwd
matching hosts, assigning the VPN destinations a lower routing cost than
directly-connected (normally 1 or 0) -- default gw is of course always
exempted)
~BAS
--
Brian A. Seklecki <bseklecki at collaborativefusion.com>
Collaborative Fusion, Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
Url : http://www.wplug.org/pipermail/wplug/attachments/20100322/d7e51a35/attachment.bin
More information about the wplug
mailing list