We have a PIX at a remote data center and - in the event of an upstream routing issue or some issue beyond our control - we'd like to be able to VPN to an interface that is completely off of the "main" network. The problem is the default route is going out the "main" outside interface of the PIX and the traffic is apparently not allowed to return back to the VPN client.
eth0 "eth-outside" - 126.96.36.199
eth1 "eth-inside" - 192.168.0.1
eth3 "eth-backup" - 188.8.131.52
184.108.40.206 = Gateway
The only routing statement on the PIX is this. This is the route that all "normal" production traffic flows out/in:
route eth-outside 0.0.0.0 0.0.0.0 220.127.116.11 1
If the 18.104.22.168 network becomes inaccessible for whatever reason how can we VPN to the 22.214.171.124 network on the "backup" interface?
Note: I can get this to work if I know *where* the VPN client is coming from. Example: If the VPN client is connecting from 126.96.36.199 I can simply put in a route back out eth3 like this (assuming that 188.8.131.52 is the gateway for this network):
route eth-backup 184.108.40.206 255.255.255.255 220.127.116.11 1
This does work but obviously it isn't optimal to know from where the VPN clients might be originating. Is there a way I can do this so the response from the PIX as well as traffic after the client is connected flows back out the interface that was used to connect in the first place?