VPN 3000 route through tunnel to public internet

Unanswered Question
Oct 20th, 2005
User Badges:

Hello All,

I am not an expert with networking so please excuse my layman vocabulary.

We have a VPN 3000 Concentrator using IPSec via the Cisco client to connect users from outside the LAN/WAN. It currently routes all traffic through the tunnel and then nothing gets back out to the internet once it goes in. So our users must disconnect from the VPN to get to the internet.

Split-Tunneling seems like the logical answer to me as long as the clients are behind a personal firewall. However, our Network Administrator thinks that there are no cases where split-tunneling should be used and that it is not possible to route internet traffic through the VPN tunnel. I have read enough about this to know neither of those arguments are true.

To me this seems like a gateway or ip routing setting that is missing or incorrect. Where can I find information on configuring our VPN concentrator to allow traffic to get through the tunnel and back out to the internet?



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
froggy3132000 Thu, 10/20/2005 - 14:17
User Badges:
  • Bronze, 100 points or more

Just make sure you set the tunnel default gateway and that gateway knows how to route to the Internet. I am currently doing this now.(for the last 3 years) I just can't seem to figure out how to make it work on an ASA5500 series appliance.

jackko Thu, 10/20/2005 - 17:38
User Badges:
  • Gold, 750 points or more


to configure tunnel default gateway, go configuration > system > ip routing > default gateways, the third option. normally the ip you are going to put is the internal router.


wondering if the command "same-security-traffic permit intra-interface" may do the trick. have you give it a go yet?

matt.weghorst Fri, 10/21/2005 - 06:36
User Badges:

Thanks for the info. I knew I was on the right track and I think I get it now.

The are two different gateways listed, the "Default Gateway", and the "Tunnel Default Gateway". After doing some tracerts and reading the documentation it looks like the one I need to change the "Tunnel Default Gateway".

Just in case I am asked, what is the purpose of the "Default Gateway?" Why does the concentrator need a path out to the public network?



jackko Fri, 10/21/2005 - 22:20
User Badges:
  • Gold, 750 points or more

for one, the concentrator needs to communicate to vpn peers, such as lan-lan vpn peers.

e.g. remote vpn peer <--> www/vpn <--> concentrator <--> inside link.

in case there is no default gateway configured, the concentrator will not be able to communicate to the remote vpn peer, as the concentrator can't determine whether the next hop is via the internet link or the inside net link.

another use is for remote management access of the concentrator, e.g. you would establish a ssh session to the concentrator for management purposes.

jackko Sat, 10/22/2005 - 18:32
User Badges:
  • Gold, 750 points or more

i guess the reason being that the tunnel default gateway is local to the concentrator, not for the remote pc. the remote pc is still terminating the vpn on the public interface of the concentrator, then the concentrator will use the tunnel default gateway as the tunnel traffic next hop.

jackko Thu, 11/03/2005 - 02:41
User Badges:
  • Gold, 750 points or more

just wondering how you go.

well, jackko, thx for your remarks. I'm not sure if I understood it well. I'm still not happy with it. still I get as default router address for the PC. nevertheless besides that, VPN works as expected. I think my basic problem was: no route back to PC. I imagined VPNC would automatically generate route back. instead I had to define static route back for the whole address pool. then it started working. :-) but I still don't know why it is while Cisco example shows real gateway IP address.


This Discussion