Is this normal VPN Concentrator 3002 behavior?

Unanswered Question

Hi all,

We have a VPN 3002 concentrator with it's public interface on our "DMZ". The private interface of the concentrator is on our "Internal" network. Our PIX515 isolated these two networks from each other and the "external" network. (ie: Internet)

When people establish VPN connections to the concentrator using the no-split tunnel option they can access internal hosts as needed but they can't surf the internet. Our internal networks core routers are configure to use the "internal" interface of the PIX as the default gateway and to send any traffic to the VPN to the concentrators "private" interfaces. The VPN concentrator in turn uses the PIX interface on the DMZ as it's default GW. The PIX then goes out to our T1.

I've been told this is normal behavior for VPN style connections where the no-split tunnel option is used. From what I understand the only way around it is to use the HTTP proxy server option in the Concentrators configuration options.

Just wondering if this is correct?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Richard Burts Mon, 04/09/2007 - 20:57


I do not have much experience with the 3002 but do have experience with other 3000 series concentrators and with PIX. The behavior that you describe of clients not being able to communicate with other clients was typical when VPN was terminated on PIX (up to the 7.0 release) because the PIX would not forward a packet back out the same interface that it arrived on. (and the ability to do this was introduced in 7.0) That behavior has not been typical on VPN terminated on the 3000 series concentrators. I have done several implementations where VPNs are terminated on 3000 series concentrators and the clients are able to surf the Internet. It sounds to me like there are PIX firewall policies that are not allowing the VPN traffic to get from the DMZ to the Internet.




This Discussion