VPN connection to 3005 WITHOUT split tunneling, then to PIX 515 for Internet?

Unanswered Question
Mar 17th, 2010
User Badges:

We are using a Cisco 3005 VPN Concentrator to handle all of our client connections. At present, split-tunneling is permitted, so remote hosts access the Internet via their own ISP. However, I have been tasked with setting up an alternate VPN profile with "no split tunneling", and then forwarding any Internet traffic to a PIX 515E for access to public sites. Setting up the new VPN profile was very simple, and based on traceroutes it appears to be working as it should; all traffic now goes to the concentrator. However, it is not routing to the Internet (via the PIX) from there. In reviewing the routes in the concentrator, I can see that there is a default route to our Internet router's public IP, and then a bunch of individual routes for internal resources (servers etc.). It would seem then that any traffic for unknown destinations is simply hitting the concentrator's default route, being pushed over to the Internet router, and then coming back down the tunnel to the client, and thereby never actually making it to the Web. As another data point, I can tell you that when I create a static route on the concentrator for a public IP and point it to the default gateway of the VPN client VLAN, it then routes to the inside, sees a default route on a core switch, and is then forward to the PIX and ultimately the Web.

Based on this scenario, how might I route traffic coming into the VPN concentrator (non-split tunneling) from remote clients, over to the PIX firewall, and out to the Internet?

Any help would be greatly appreciated.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jennifer Halim Wed, 03/17/2010 - 21:01
User Badges:
  • Cisco Employee,

1) You can configure a new unique pool for this non split tunnel group so routing can be done appropriately.

2) On the VPN Concentrator, you can configure "Tunnel Default Gateway" (Configuration | System | IP Routing | Default Gateways) to be either the internal router or the PIX firewall interface which is in the same subnet as your VPN Concentrator private interface.

3) On the PIX firewall, you would need to create NAT for this newly created pool so it gets PATed for traffic going to the Internet. And also on the PIX, you would have route for the ip pool to point towards the VPN Concentrator private interface.

Hope that helps.

munroe.cco Thu, 03/18/2010 - 10:58
User Badges:

Thanks halijenn. That's exactly what I needed.



This Discussion