Remote Access VPN Configuration + U-Turn

Unanswered Question
Mar 1st, 2007

I have configured Remote Access VPN on a PIX 515E running PIX OS 7.2(2). I am able to connect via the Cisco VPN Client, and pass traffic to the Internet but it appears to be U-turned rather than sent to another device for inspection. I have enabled the feature to send all VPN traffic to an inside host rather than having the firewall re-route it (Tunnel-default gateway), but it still acts like it is Split-Tunneling/U-Turn. We need this traffic to be inspected by an Internet Filtering appliance to ensure our users adhere to our policies while on our LAN. I am able to access everything on our LAN just fine, but once I go to the Internet, it is as though I am connected directly to Internet and not passing through our filters. Any suggestions on where to look in my configuration would be a great help.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
kaachary Sat, 03/03/2007 - 05:36

Hi,

The tunnel default gateway should point to the filter (Make sure the filter's ip is of the same subnet as of Inside Intf).

The filter's default gateway should again be the ASA's inside interface.

Disable "ip verify reverse-path" on inside interface.

Create a NAT rule on inside for VPN client pool. E.G.

nat (inside) 1

global (outside) 1 interface

Remove any exisitng "nat (outside)...." rules, which are required only when you U-turn the traffic.

HTH,

-Kanishka

Actions

This Discussion