03-01-2007 03:24 PM - edited 02-21-2020 02:53 PM
I have configured Remote Access VPN on a PIX 515E running PIX OS 7.2(2). I am able to connect via the Cisco VPN Client, and pass traffic to the Internet but it appears to be U-turned rather than sent to another device for inspection. I have enabled the feature to send all VPN traffic to an inside host rather than having the firewall re-route it (Tunnel-default gateway), but it still acts like it is Split-Tunneling/U-Turn. We need this traffic to be inspected by an Internet Filtering appliance to ensure our users adhere to our policies while on our LAN. I am able to access everything on our LAN just fine, but once I go to the Internet, it is as though I am connected directly to Internet and not passing through our filters. Any suggestions on where to look in my configuration would be a great help.
03-01-2007 03:34 PM
Is your internet filter outside the firewall, if so then you could do public internet on a stick.
Just read your post more clearly, I think your filter is on the inside? correct?
03-03-2007 05:36 AM
Hi,
The tunnel default gateway should point to the filter (Make sure the filter's ip is of the same subnet as of Inside Intf).
The filter's default gateway should again be the ASA's inside interface.
Disable "ip verify reverse-path" on inside interface.
Create a NAT rule on inside for VPN client pool. E.G.
nat (inside) 1
global (outside) 1 interface
Remove any exisitng "nat (outside)...." rules, which are required only when you U-turn the traffic.
HTH,
-Kanishka
06-15-2007 09:30 AM
FYI, the recommended fix above does not work.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: