cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1833
Views
5
Helpful
1
Replies

Cisco VPN Client and PIX 515: how to set default gateway

husmith
Level 1
Level 1

Here is the setup:

Laptop---- Inet Cloud ---- PIX --- Campus Network --- Inet Cloud

I can get the Cisco VPN client to connect and create the tunnel between the laptop and the PIX, but i can not browse through the PIX into the Campus network and off into the Internet.

When i connect my default gateway is assinged as the same IP address the PIX assings my VPN connection.

Example

IP address: 155.35.134.46

Gateway: 155.35.134.46

The Pix is INSIDE IP address 155.35.134.45

My goal is to be able to setup a tunnel btw my remote/random IP and the PIX firewall/VPN. Then browse through the campus network and if needbe use the campus gateway to browes the Internet.

Any assistance is appreciated

1 Accepted Solution

Accepted Solutions

gfullage
Cisco Employee
Cisco Employee

The default gateway on your PC is not the problem, it will always show as the same IP address (this is no different when you dial up to an ISP, your DG will again be set to your negotiated IP address).

The issue will be routing within the campus network and more importantly on the PIX itself. The campus network needs a route to the VPN pool of addresses that eventually points back to the PIX.

The issue here is that the PIX will have a default gateway pointing back out towards your laptop. When you establish a VPN and try and go to an Internet address, the PIX is going to route this packet according to its routing table and send it back out the interface it came in on. The PIX won't do this, and the packet will be dropped. Unless you can set the PIX's routing table to forward Internet packets to the campus network, there's no way around this. Of course if you do that then you'll break connectivity thru the PIX for all the internal users.

The only way to do this is to configure split tunnelling on the PIX, so that packets destined for the Internet are sent directly from your laptop in the clear just like normal, and any packet destined for the campus network is encrypted and sent over the tunnel.

Here's the format of the command:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/cmdref/tz.htm#1048524

View solution in original post

1 Reply 1

gfullage
Cisco Employee
Cisco Employee

The default gateway on your PC is not the problem, it will always show as the same IP address (this is no different when you dial up to an ISP, your DG will again be set to your negotiated IP address).

The issue will be routing within the campus network and more importantly on the PIX itself. The campus network needs a route to the VPN pool of addresses that eventually points back to the PIX.

The issue here is that the PIX will have a default gateway pointing back out towards your laptop. When you establish a VPN and try and go to an Internet address, the PIX is going to route this packet according to its routing table and send it back out the interface it came in on. The PIX won't do this, and the packet will be dropped. Unless you can set the PIX's routing table to forward Internet packets to the campus network, there's no way around this. Of course if you do that then you'll break connectivity thru the PIX for all the internal users.

The only way to do this is to configure split tunnelling on the PIX, so that packets destined for the Internet are sent directly from your laptop in the clear just like normal, and any packet destined for the campus network is encrypted and sent over the tunnel.

Here's the format of the command:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/cmdref/tz.htm#1048524

Review Cisco Networking for a $25 gift card