Default GW for VPN Client

Unanswered Question
Jun 17th, 2007


I notice the default GW for VPN clients when connecting is the client's interface iteself. I am just wondering how would he be able to access other VLANs in the network?

R/ Haitham

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
johnleeee Mon, 06/18/2007 - 05:30


It is very easy. When you connect to your site

through VPN client, it depends on policy you

configured on PIX which routes will be pushed

to your interface on PC and than to your site and which not. If you configure all routes to be directed through VPN interface you will not be able to connect to other site.



Jon Marshall Mon, 06/18/2007 - 11:45

Hi Haitham

It's a bit like having a route on a router that instead of using the next hop IP address uses an outgoing interface instead.

So your default-gateway for the VPN client is the outgoing interface with IP address of the client end of the VPN tunnel. So all traffic no matter which subnet it is destined for will be sent down the tunnel.

Hope this makes sense


btrichardson Wed, 09/12/2007 - 10:44

Hello Jon,

I know this post was a while back, but like a good little boy I searched for my problem before starting a new post. :)

I had the same question Haitham did about why my VPN clients get their own IP set as their default GW. You answered that question... thanks! I still have another question though:

My ASA 5520 (which is what my remote clients VPN into) is connected on the inside interface to a VLAN network. I have a Cisco 6500 managing and routing this VLAN and others. When I connect in with my VPN client, I get assigned an IP address from the VLAN network that the ASA is connected to, but I cannot get to anything on that network or on any of my other VLAN networks. However, if I ssh into my ASA, I can ping anything on the ASA's inside network and other VLAN networks. Any idea why this is happening? I have static routes configured in the ASA for all of my other VLANs that point to the gateway of the ASA's inside network.

Thanks! -- BTR

shomar Wed, 09/12/2007 - 23:40


Try to double check that nat0 is properly configured, and that you have nat traversal enabled on the FW (isakmp nat-t)

hope this helps,


shomar Tue, 06/19/2007 - 02:11

Hi Haitham,

Like mentioned before the routes pushed through the tunnel will depend on the policies configured.

However, to have the client capable of communicating to other vlans (or the local LAN) you will need to configure split tunneling.

configuring split tunneling will slightly vary depending on the software version of the VPN server.

below I am listing how to configure it on the PIX FW version 6.x and version 7.x as well:

version 7.x:

version 6.x:

Use the following command when configuring VPN

vpngroup groupname split-tunnel

where specifying in the access-list all the traffic that you would like to pass through the tunnel, all other traffic not specified in the access-list will pass in the clear.

I hope that the above will be of assistance to you on this.

note that the GW of the tunneled traffic will remain pointing to the interface :)




This Discussion