We have a PIX at a remote data center and - in the event of an upstream routing issue or some issue beyond our control - we'd like to be able to VPN to an interface that is completely off of the "main" network. The problem is the default route is going out the "main" outside interface of the PIX and the traffic is apparently not allowed to return back to the VPN client.
eth0 "eth-outside" - 188.8.131.52
eth1 "eth-inside" - 192.168.0.1
eth3 "eth-backup" - 184.108.40.206
220.127.116.11 = Gateway
The only routing statement on the PIX is this. This is the route that all "normal" production traffic flows out/in:
route eth-outside 0.0.0.0 0.0.0.0 18.104.22.168 1
If the 22.214.171.124 network becomes inaccessible for whatever reason how can we VPN to the 126.96.36.199 network on the "backup" interface?
Note: I can get this to work if I know *where* the VPN client is coming from. Example: If the VPN client is connecting from 188.8.131.52 I can simply put in a route back out eth3 like this (assuming that 184.108.40.206 is the gateway for this network):
route eth-backup 220.127.116.11 255.255.255.255 18.104.22.168 1
This does work but obviously it isn't optimal to know from where the VPN clients might be originating. Is there a way I can do this so the response from the PIX as well as traffic after the client is connected flows back out the interface that was used to connect in the first place?