Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
615
Views
10
Helpful
4
Replies

use the Internet through vpn

a.sutter
Level 1
Level 1

‎10-10-2004 11:09 PM - edited ‎02-21-2020 01:23 PM

I have access via vpn tunnel (client) to my inside lan. now can i use the internet without to configuration the split-tunnel command ?

can i terminate the vpn tunnel on the dmz interface with off. ip address ?

or habe you a solution for my problem ?

Thanks,

Andi

Labels:
0 Helpful
4 Replies 4

scoclayton
Level 7
Level 7

‎10-11-2004 05:11 AM

Andi,

Unfortunately, this is not currently possible in a simple 2 interface PIX design. The PIX will not allow packets to have the same ingress (VPN packets coming in the outside interface) as the egress interface (packets leaving unencrypted going back to the internet). We are going to be relaxing this restriction in an the upcoming 7.0 release for the scenerio you specified above. However, in the current releases, you will need to terminate your VPN connections on another interface (as you mentioned above) and route the traffic through the PIX back out to the Internet. I don't know what you mean by "off. ip address" so I'm not sure how to answer this question.

Let me know if this is not clear.

Scott

a.sutter
Level 1
Level 1
In response to scoclayton

‎10-11-2004 06:17 AM

ok.

with off. ip address i mean not a rfc 1918 ip address. (i terminate the vpn tunnel on my dmz interface with the ip address 195.65.x.x)

that works ?

andi

0 Helpful

scoclayton
Level 7
Level 7
In response to a.sutter

‎10-11-2004 06:27 AM

Yes, this will work. This then becomes an exercise in routing. The issue that gets most people is creating a default route. The default route on the PIX can only point out one interface. So, you will need to know the source address (most likely) for the people connecting via IPSec to the PIX and configure the routes on the PIX accordingly.

Make sense?

Scott

zeeahmed123
Level 1
Level 1
In response to scoclayton

‎02-17-2011 03:45 AM

Hi,

This thread is interesting (although its an old one), as i have a similar requirement. i will have remote sites that will use IPSEC site-2-site VPN back to the HQ firewall in the event of the WAN failing. At the HQ I have two firewalls connected to two different ISP's; the HQ staff will go out through one set of firewalls and the site-2-site VPNs will terminate on the other firewall. I want the site-2-site VPN traffic to go out the same firewall on which the VPN terminates.

I have seen a lot of threads where people are saying that "hairpinning" is not allowed and the (PIX) does not allow ingress traffic from the outside to go back via the same interface in some of the older codes ver 6.x etc

My question is that can this now be done on the later ASA firewalls running 8.2 or 8.3? If so does anyone have the commands required and also how will the NAT work for the remote site traffic which is using RFC1918 addressing?

Appreciate your help

Thx

0 Helpful
Customers Also Viewed These Support Documents