We have a PIX at a remote data center and - in the event of an upstream routing issue or some issue beyond our control - we'd like to be able to VPN to an interface that is completely off of the "main" network. The problem is the default route is going out the "main" outside interface of the PIX and the traffic is apparently not allowed to return back to the VPN client.
eth0 "eth-outside" - 18.104.22.168
eth1 "eth-inside" - 192.168.0.1
eth3 "eth-backup" - 22.214.171.124
126.96.36.199 = Gateway
The only routing statement on the PIX is this. This is the route that all "normal" production traffic flows out/in:
route eth-outside 0.0.0.0 0.0.0.0 188.8.131.52 1
If the 184.108.40.206 network becomes inaccessible for whatever reason how can we VPN to the 220.127.116.11 network on the "backup" interface?
Note: I can get this to work if I know *where* the VPN client is coming from. Example: If the VPN client is connecting from 18.104.22.168 I can simply put in a route back out eth3 like this (assuming that 22.214.171.124 is the gateway for this network):
route eth-backup 126.96.36.199 255.255.255.255 188.8.131.52 1
This does work but obviously it isn't optimal to know from where the VPN clients might be originating. Is there a way I can do this so the response from the PIX as well as traffic after the client is connected flows back out the interface that was used to connect in the first place?