Right now I hv a vpn client logging into a 2811 HQ, I would like to have the vpn client to surf internet via the 2811 internet access line. The reason is that the internet connection for the vpn client user is bad however the connection to the 2811 box is ok and the 2811 has a good internet access.
How can I configure such that the vpn client will log into HQ2811 and access internet via HQ2811 internet line.
Take note the termination point for vpn and internet access is the same meaning only 1 wan link on the 2811
I can just say that with PIX 6.x OS you can't have the Packet return from the interface it has entered, however with IOS Firewall I'm not sure.
Could you please check the properties of the IOS Firewall and could probably configure a static route for the guys who come from the ADSL IPSec tunnel and return from the same interface on the Router to Internet.
If the IOS Firewall doesn't allow this configuration then you need to have a separate connection to Internet / IPSec VPN from the ADSL Clients.
I get what you mean, this is also what I need to find out from the user in indonesia. But in the mean time just to find out whether this is feasible.
just couple quick comments.
router doesn't have the "no re-route back to the same interface" restriction.
you mentioned, "The reason is that the internet connection for the vpn client user is bad". just wondering how would it help providing the remote vpn connection is still going to rely on the vpn user (home) internet.
e.g. if the home internet keeps drop, the remote vpn connection will be dropped as well as the internet browsing via the router.
one option is to disable split tunnel (i.e tunnel everything), and configure a proxy server at the head office.
another option is to disable split tunnel, and configure a loop back address for vpn client pool to nat/pat.
In the second option, which will be the nat inside interface?
Any means this can be achieved in VPN Concentrator??
the nat inside will be on the loopback interface.
with concentrator, you need to configure tunnel default gateway (configuration > system > ip routing > default gateway), which usually is the internal router.
Then what will be the ip range for the loopback interface , same as the vpn client pool? Then the acl we just allow this range for the nat?