Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
438
Views
0
Helpful
3
Replies

3000 Concentrator - Tunnel/Default Gateway

david.bradley
Level 1
Level 1

‎08-19-2002 12:58 AM - edited ‎03-08-2019 11:59 PM

Am I correct in the following assumption of the default routes on a VPN concentrator..?

If a VPN concentrator establishes a tunnel with a remote client, is all traffic (not destined to the client) sent first towards to tunnel gateway by the concentrator and the client traffic is sent to the default getway?

So, if that tunnel default gateway pointed towards a PIX on the internal network you would be able to route all remote VPN user's traffic destined for the internet through the PIX? and then gain some control over the traffic..

The reason I ask this is, is because you can't have this kind of setup using a second PIX. This is because a remote VPN client's address can't be placed in the routing table (it could be anywhere), so the default gateway has to face the internet directly - so you can't route client traffic into the PIX then internally, then out another PIX...

Labels:
0 Helpful
3 Replies 3

awaheed
Cisco Employee
Cisco Employee

‎08-19-2002 11:06 AM

Hi David,

The purpose of having a Tunnel Default gateway is to make Routing for the Internal Subnets, when the concentrator itself doesn't want to deal with it. Ideally you can even have a 0.0.0.0 here and not worry about this as long as you have the Routes in your Concentrator for the Inside network. Hence to sum it up, the Tunnel Default Gateway is used for routing traffic coming through the VPN tunnel destined for the Inside network, for all other traffic the Default Gateway is used.

Hi Mario,

Thanks for your question..

I would suggest opening a TAC case on this with the version you are using and try getting the output on the messages it gives by connecting a Console to the PIX, you can follow the steps at: http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/syslog/pixemint.htm#xtocid2 for this. The PIX would not normally crash like this so this might need to be looked into.

Thanks and Regards,

Aamir Waheed,

Cisco Systems, Inc.

CCIE#8933

-=-=-=-

0 Helpful

david.bradley
Level 1
Level 1
In response to awaheed

‎08-20-2002 12:35 AM

Thanks for your reply,

so just to clarify,

the tunnel default 0.0.0.0 will be able to route all traffic for the internet to the inside network, without interupting remote vpn traffic that could come via any ISP?

Dave

0 Helpful

awaheed
Cisco Employee
Cisco Employee
In response to david.bradley

‎08-20-2002 11:21 AM

Tunnel default gateway is used for all traffic coming in THROUGH A VPN TUNNEL, so if you have any VPN tunnel traffic coming to the Concentrator it will try to Route it on its own, rather then sending it to a specific IP Address on the Inside.

Hope this helps,

Aamir

0 Helpful
Customers Also Viewed These Support Documents