02-27-2002 05:17 PM - edited 02-21-2020 11:37 AM
I have a pix 515 and am using the vpn client 3.5.1 to connect users from the internet. Currently I have a split tunnel that puts 10./8 traffic over the vpn and everything else over the local network. What I would like to do is break the tunnel and have all the clients traffic either go through the pix or forward out to my netbsd gateway. Can anyone help with this.
Toby
03-01-2002 10:54 AM
I am not sure what the netbsd gateway is but I've found that the PIX VPN won't forward traffic out the same port it came in on. If the netbsd is some kind of proxy server I'd think you could use it for the VPN users but I'm just guessing on that one. You can enable the "stateful firewall" on the client which would add some security to the remote node.
03-03-2002 08:18 PM
This is essentially how we are layed out:
Internet
|
------------------
| |
PIX NetBSD
| |
------------------
|
Internal Network
The VPN connections come into the pix, but all internal network traffic goes out the netbsd. I want to be able to disable local lan access on the vpn client and have the clients internet traffic go through the PIX and out the netbsd. I can always set the proxy server option on the client and then http goes through the squid on the netbsd, but I would like to be able to route all the traffic not just proxy http. Thanks for your help, at least now I can narrow it down a bit.
03-03-2002 10:00 PM
If I understand you correctly, you want all of your VPN traffic to go back out thought the PIX to access the Internet. Is this to prevent the user from having unsecured connections while connected to your Private net? The only problem with your layout is that the PIX isn't a router. It cannot re-route traffic out of an interface that it came in on. So users coming in on (Outside) via the VPN to access (inside/DMZ, whatever) cannot go back out through (Outside) to access the web.
03-04-2002 12:13 PM
You have got the general idea, but I can also live with routing all traffic to the netbsd box, which is on the inside interface, and out to the internet that way. Can I do that?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide