cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
435
Views
4
Helpful
7
Replies
Highlighted
Beginner

VPN client access internet via HQ tunnel

Hi,

Right now I hv a vpn client logging into a 2811 HQ, I would like to have the vpn client to surf internet via the 2811 internet access line. The reason is that the internet connection for the vpn client user is bad however the connection to the 2811 box is ok and the 2811 has a good internet access.

How can I configure such that the vpn client will log into HQ2811 and access internet via HQ2811 internet line.

Take note the termination point for vpn and internet access is the same meaning only 1 wan link on the 2811

7 REPLIES 7
Highlighted
Beginner

Hi Allanl,

I can just say that with PIX 6.x OS you can't have the Packet return from the interface it has entered, however with IOS Firewall I'm not sure.

Could you please check the properties of the IOS Firewall and could probably configure a static route for the guys who come from the ADSL IPSec tunnel and return from the same interface on the Router to Internet.

If the IOS Firewall doesn't allow this configuration then you need to have a separate connection to Internet / IPSec VPN from the ADSL Clients.

Highlighted

Hi

I get what you mean, this is also what I need to find out from the user in indonesia. But in the mean time just to find out whether this is feasible.

Thanks

Highlighted
Rising star

just couple quick comments.

router doesn't have the "no re-route back to the same interface" restriction.

you mentioned, "The reason is that the internet connection for the vpn client user is bad". just wondering how would it help providing the remote vpn connection is still going to rely on the vpn user (home) internet.

e.g. if the home internet keeps drop, the remote vpn connection will be dropped as well as the internet browsing via the router.

Highlighted

it's feasible.

one option is to disable split tunnel (i.e tunnel everything), and configure a proxy server at the head office.

another option is to disable split tunnel, and configure a loop back address for vpn client pool to nat/pat.

Highlighted

Hi Jackko,

In the second option, which will be the nat inside interface?

Any means this can be achieved in VPN Concentrator??

Regards,

Shijo George.

Highlighted

the nat inside will be on the loopback interface.

with concentrator, you need to configure tunnel default gateway (configuration > system > ip routing > default gateway), which usually is the internal router.

Highlighted

Hi Jakko,

Then what will be the ip range for the loopback interface , same as the vpn client pool? Then the acl we just allow this range for the nat?

thks

Content for Community-Ad