Options for Internet Access Through a Mobile VPN with IPSec Tunnel
When you configure Mobile VPN for your remote users, you must choose whether you want their general Internet traffic to go through the VPN tunnel, or to bypass the VPN tunnel. Your choice can affect your network security because Internet traffic that does not go through the tunnel is not filtered or encrypted. In your configuration, you specify your choice with the tunnel route you select: default-route VPN or split tunnel VPN.
The most secure option is to require that all remote user Internet traffic is routed through the VPN tunnel to the Firebox. From the Firebox, the traffic is then sent back out to the Internet. With this configuration (known as default-route VPN), the Firebox is able to examine all traffic and provide increased security, although the Firebox uses more processing power and bandwidth.
For more information about dynamic NAT, see Add Network Dynamic NAT Rules.
Split Tunnel VPN
Another configuration option is to enable split tunneling. This configuration allows users to browse the Internet normally. Split tunneling decreases security because Firebox policies are not applied to the Internet traffic, but performance is increased. If you use split tunneling, your client computers should have a software firewall.