cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
626
Views
10
Helpful
4
Replies

use the Internet through vpn

a.sutter
Level 1
Level 1

I have access via vpn tunnel (client) to my inside lan. now can i use the internet without to configuration the split-tunnel command ?

can i terminate the vpn tunnel on the dmz interface with off. ip address ?

or habe you a solution for my problem ?

Thanks,

Andi

4 Replies 4

scoclayton
Level 7
Level 7

Andi,

Unfortunately, this is not currently possible in a simple 2 interface PIX design. The PIX will not allow packets to have the same ingress (VPN packets coming in the outside interface) as the egress interface (packets leaving unencrypted going back to the internet). We are going to be relaxing this restriction in an the upcoming 7.0 release for the scenerio you specified above. However, in the current releases, you will need to terminate your VPN connections on another interface (as you mentioned above) and route the traffic through the PIX back out to the Internet. I don't know what you mean by "off. ip address" so I'm not sure how to answer this question.

Let me know if this is not clear.

Scott

ok.

with off. ip address i mean not a rfc 1918 ip address. (i terminate the vpn tunnel on my dmz interface with the ip address 195.65.x.x)

that works ?

andi

Yes, this will work. This then becomes an exercise in routing. The issue that gets most people is creating a default route. The default route on the PIX can only point out one interface. So, you will need to know the source address (most likely) for the people connecting via IPSec to the PIX and configure the routes on the PIX accordingly.

Make sense?

Scott

Hi,

This thread is interesting (although its an old one), as i have a similar requirement. i will have remote sites that will use IPSEC site-2-site VPN back to the HQ firewall in the event of the WAN failing. At the HQ I have two firewalls connected to two different ISP's; the HQ staff will go out through one set of firewalls and the site-2-site VPNs will terminate on the other firewall. I want the site-2-site VPN traffic to go out the same firewall on which the VPN terminates.

I have seen a lot of threads where people are saying that "hairpinning" is not allowed and the (PIX) does not allow ingress traffic from the outside to go back via the same interface in some of the older codes ver 6.x etc

My question is that can this now be done on the later ASA firewalls running 8.2 or 8.3? If so does anyone have the commands required and also how will the NAT work for the remote site traffic which is using RFC1918 addressing?

Appreciate your help

Thx