We have a PIX at a remote data center and - in the event of an upstream routing issue or some issue beyond our control - we'd like to be able to VPN to an interface that is completely off of the "main" network. The problem is the default route is going out the "main" outside interface of the PIX and the traffic is apparently not allowed to return back to the VPN client.
eth0 "eth-outside" - 22.214.171.124
eth1 "eth-inside" - 192.168.0.1
eth3 "eth-backup" - 126.96.36.199
188.8.131.52 = Gateway
The only routing statement on the PIX is this. This is the route that all "normal" production traffic flows out/in:
route eth-outside 0.0.0.0 0.0.0.0 184.108.40.206 1
If the 220.127.116.11 network becomes inaccessible for whatever reason how can we VPN to the 18.104.22.168 network on the "backup" interface?
Note: I can get this to work if I know *where* the VPN client is coming from. Example: If the VPN client is connecting from 22.214.171.124 I can simply put in a route back out eth3 like this (assuming that 126.96.36.199 is the gateway for this network):
route eth-backup 188.8.131.52 255.255.255.255 184.108.40.206 1
This does work but obviously it isn't optimal to know from where the VPN clients might be originating. Is there a way I can do this so the response from the PIX as well as traffic after the client is connected flows back out the interface that was used to connect in the first place?