Solved: Re: PIX VPN internet access without split tunneling

jjkruege · ‎07-28-2003

I have a PIX 515E with 6.31 code. I have setup a VPN to allow access to the internal network from the Internet using the Cisco VPN client. It is working properly. We have certain vendors that require us to come from our Internet IP range to allow us to access their database from the Internet. This works fine for our internal users, but I would like to allow VPN users to also do this.

Is there a way to allow the VPN client user to use the corporate Internet connection to access the internet instead of using split tunneling to access the internet through their own connection? I would like the vpn users to be able to be NAT'd back out to the Internet and appear to come from our pool of Internet addresses. Everything I have found references using Split tunneling, but this will not work for me. Am I stuck getting a VPN concentrator to accomplish this?

Thanks,

Josh

jkrueger@bcsc.com

gfullage · ‎07-28-2003

The PIX won't route a packet back out the same interface it came in on, that includes a VPN client packet coming in on the outside interface and being routed back out that same interface.

A VPN concentrator or a router would be able to do this, but not a PIX, sorry.

View solution in original post

gfullage · ‎07-28-2003

The PIX won't route a packet back out the same interface it came in on, that includes a VPN client packet coming in on the outside interface and being routed back out that same interface.

A VPN concentrator or a router would be able to do this, but not a PIX, sorry.

sbeal · ‎07-28-2003

Glenn, is this true even of the 6.3 code? Is there anything on the PIX roadmap to allow this functionality in the future?

Thanks,

Seth

zn · ‎07-28-2003

May I know how to let the router do this? Thanks!

regards

jackko · ‎07-29-2003

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080103ed0.shtml

you are using 515e, i assume you got a third interface running. it's possible if both the outside and dmz interface got public ip, that is, both of them are connected to the internet.

traffic originated from remote user arrived at outside interface of pix; pix can then forward that traffic via dmz interface.

gfullage · ‎07-29-2003

Yes this is true even in 6.3 code and yes, it has been discussed quite a lot. I don't believe there's any work being done on it at the moment. Please feel free to contact your Account Manager and have him push for this, the more people that request a new feature the faster it will be implemented.

The above sample config will sort of work in your scenario, but as discussed you need two external IP addresses in different subnets, but your ISP shouldf be able to accomodate you. Set up the VPn clients to connect to the standard "outside" interface, then set routes in the PIX pointing to the remote office that point out the "dmz" interface.

rgreville · ‎07-31-2003

PIX will not allow traffic to be sent out of a port it recived it from!!!!! concentrator is the way forward! or you could get your self a terminal server, your vpn users could vpn into your internal network then connect to a terminal server and then establish the connection from the terminal server.