Remote Access VPN Configuration + U-Turn

greg.moses · ‎03-01-2007

I have configured Remote Access VPN on a PIX 515E running PIX OS 7.2(2). I am able to connect via the Cisco VPN Client, and pass traffic to the Internet but it appears to be U-turned rather than sent to another device for inspection. I have enabled the feature to send all VPN traffic to an inside host rather than having the firewall re-route it (Tunnel-default gateway), but it still acts like it is Split-Tunneling/U-Turn. We need this traffic to be inspected by an Internet Filtering appliance to ensure our users adhere to our policies while on our LAN. I am able to access everything on our LAN just fine, but once I go to the Internet, it is as though I am connected directly to Internet and not passing through our filters. Any suggestions on where to look in my configuration would be a great help.

acomiskey · ‎03-01-2007

Is your internet filter outside the firewall, if so then you could do public internet on a stick.

http://cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00805734ae.shtml

Just read your post more clearly, I think your filter is on the inside? correct?

kaachary · ‎03-03-2007

Hi,

The tunnel default gateway should point to the filter (Make sure the filter's ip is of the same subnet as of Inside Intf).

The filter's default gateway should again be the ASA's inside interface.

Disable "ip verify reverse-path" on inside interface.

Create a NAT rule on inside for VPN client pool. E.G.

nat (inside) 1

global (outside) 1 interface

Remove any exisitng "nat (outside)...." rules, which are required only when you U-turn the traffic.

HTH,

-Kanishka

revangelista · ‎06-15-2007

FYI, the recommended fix above does not work.