10-23-2005 07:21 PM
Hi,
Right now I hv a vpn client logging into a 2811 HQ, I would like to have the vpn client to surf internet via the 2811 internet access line. The reason is that the internet connection for the vpn client user is bad however the connection to the 2811 box is ok and the 2811 has a good internet access.
How can I configure such that the vpn client will log into HQ2811 and access internet via HQ2811 internet line.
Take note the termination point for vpn and internet access is the same meaning only 1 wan link on the 2811
10-23-2005 11:49 PM
Hi Allanl,
I can just say that with PIX 6.x OS you can't have the Packet return from the interface it has entered, however with IOS Firewall I'm not sure.
Could you please check the properties of the IOS Firewall and could probably configure a static route for the guys who come from the ADSL IPSec tunnel and return from the same interface on the Router to Internet.
If the IOS Firewall doesn't allow this configuration then you need to have a separate connection to Internet / IPSec VPN from the ADSL Clients.
10-24-2005 07:17 AM
Hi
I get what you mean, this is also what I need to find out from the user in indonesia. But in the mean time just to find out whether this is feasible.
Thanks
10-24-2005 12:34 AM
just couple quick comments.
router doesn't have the "no re-route back to the same interface" restriction.
you mentioned, "The reason is that the internet connection for the vpn client user is bad". just wondering how would it help providing the remote vpn connection is still going to rely on the vpn user (home) internet.
e.g. if the home internet keeps drop, the remote vpn connection will be dropped as well as the internet browsing via the router.
10-24-2005 08:23 PM
it's feasible.
one option is to disable split tunnel (i.e tunnel everything), and configure a proxy server at the head office.
another option is to disable split tunnel, and configure a loop back address for vpn client pool to nat/pat.
10-24-2005 08:39 PM
Hi Jackko,
In the second option, which will be the nat inside interface?
Any means this can be achieved in VPN Concentrator??
Regards,
Shijo George.
10-24-2005 08:51 PM
the nat inside will be on the loopback interface.
with concentrator, you need to configure tunnel default gateway (configuration > system > ip routing > default gateway), which usually is the internal router.
10-25-2005 08:19 AM
Hi Jakko,
Then what will be the ip range for the loopback interface , same as the vpn client pool? Then the acl we just allow this range for the nat?
thks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide