03-01-2007 03:24 PM - edited 02-21-2020 02:53 PM
I have configured Remote Access VPN on a PIX 515E running PIX OS 7.2(2). I am able to connect via the Cisco VPN Client, and pass traffic to the Internet but it appears to be U-turned rather than sent to another device for inspection. I have enabled the feature to send all VPN traffic to an inside host rather than having the firewall re-route it (Tunnel-default gateway), but it still acts like it is Split-Tunneling/U-Turn. We need this traffic to be inspected by an Internet Filtering appliance to ensure our users adhere to our policies while on our LAN. I am able to access everything on our LAN just fine, but once I go to the Internet, it is as though I am connected directly to Internet and not passing through our filters. Any suggestions on where to look in my configuration would be a great help.
03-01-2007 03:34 PM
Is your internet filter outside the firewall, if so then you could do public internet on a stick.
Just read your post more clearly, I think your filter is on the inside? correct?
03-03-2007 05:36 AM
Hi,
The tunnel default gateway should point to the filter (Make sure the filter's ip is of the same subnet as of Inside Intf).
The filter's default gateway should again be the ASA's inside interface.
Disable "ip verify reverse-path" on inside interface.
Create a NAT rule on inside for VPN client pool. E.G.
nat (inside) 1
global (outside) 1 interface
Remove any exisitng "nat (outside)...." rules, which are required only when you U-turn the traffic.
HTH,
-Kanishka
06-15-2007 09:30 AM
FYI, the recommended fix above does not work.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide