We are using a Cisco 3005 VPN Concentrator to handle all of our client connections. At present, split-tunneling is permitted, so remote hosts access the Internet via their own ISP. However, I have been tasked with setting up an alternate VPN profile with "no split tunneling", and then forwarding any Internet traffic to a PIX 515E for access to public sites. Setting up the new VPN profile was very simple, and based on traceroutes it appears to be working as it should; all traffic now goes to the concentrator. However, it is not routing to the Internet (via the PIX) from there. In reviewing the routes in the concentrator, I can see that there is a default route to our Internet router's public IP, and then a bunch of individual routes for internal resources (servers etc.). It would seem then that any traffic for unknown destinations is simply hitting the concentrator's default route, being pushed over to the Internet router, and then coming back down the tunnel to the client, and thereby never actually making it to the Web. As another data point, I can tell you that when I create a static route on the concentrator for a public IP and point it to the default gateway of the VPN client VLAN, it then routes to the inside, sees a default route on a core switch, and is then forward to the PIX and ultimately the Web.
Based on this scenario, how might I route traffic coming into the VPN concentrator (non-split tunneling) from remote clients, over to the PIX firewall, and out to the Internet?
Any help would be greatly appreciated.