Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
319
Views
0
Helpful
3
Replies

Branch office to Central Internet gateway

kcox
Level 1
Level 1

‎07-25-2005 12:53 PM - edited ‎03-09-2019 11:56 AM

We have a Branch office pix 501 with a working VPN pipe to a Concentrator in our Central office. We want to direct all external traffic in the Branch to go out by VPN to the Central office network. How do you force the branch office LAN to use the VPN as the gateway instead of the pix default gateway? A link to appropriate cisco docs would help as well. Currently we use the Branch Pix 501 for DHCP for the LAN.

Thanks

Kevin

Labels:
0 Helpful
3 Replies 3

Richard Burts
Hall of Fame
Hall of Fame

‎07-26-2005 05:06 AM

My first thought was to change the DHCP so that it assigned the VPN address as default gateway. But then I realized that it would not work well since that would be a remote address as the gateway. So then I thought that the answer may not be changing the gateway on the PC but might be to change the default route in the PIX so that it does not point to the ISP as next hop but points to the VPN peer as the next hop for default route.

HTH

Rick

HTH

Rick
0 Helpful

kcox
Level 1
Level 1
In response to Richard Burts

‎07-26-2005 01:02 PM

Well it gets more interesting here. The Branch office gets external IP by DHCP from their ISP (DSL). So the pix doesn't necessarily have a static default gateway.

If we can't find a pix solution we may install an internal router (linux or a linksys device) that does DHCP. The Branch office clients will get the router as the default gw, while the router will have the VPN as the next hop/gw. We can put some limitations on web/ftp on the pix to block direct outgoing connections.

I would rather have a way to do this setup without adding another device at the branch office. I'll post our solution when we get there.

thanks

Kevin

0 Helpful

kcox
Level 1
Level 1
In response to kcox

‎07-29-2005 11:20 AM

The solution was pretty simple. The VPN tunnel from the Pix 501 needs to include "any" as the destination. "any" also must be added the the NAT exception. So the Branch LAN tunnels all and it is not NAT'd. On the VPN concentrator there are some routes that must be added. Now the Branch office is piped through the proxy/filtering, IDS, etc. before accessing the internet. The only internet traffic direct from the PIX 501 is the Tunnel to the Central office.

0 Helpful
Customers Also Viewed These Support Documents