Am I correct in the following assumption of the default routes on a VPN concentrator..?
If a VPN concentrator establishes a tunnel with a remote client, is all traffic (not destined to the client) sent first towards to tunnel gateway by the concentrator and the client traffic is sent to the default getway?
So, if that tunnel default gateway pointed towards a PIX on the internal network you would be able to route all remote VPN user's traffic destined for the internet through the PIX? and then gain some control over the traffic..
The reason I ask this is, is because you can't have this kind of setup using a second PIX. This is because a remote VPN client's address can't be placed in the routing table (it could be anywhere), so the default gateway has to face the internet directly - so you can't route client traffic into the PIX then internally, then out another PIX...
The purpose of having a Tunnel Default gateway is to make Routing for the Internal Subnets, when the concentrator itself doesn't want to deal with it. Ideally you can even have a 0.0.0.0 here and not worry about this as long as you have the Routes in your Concentrator for the Inside network. Hence to sum it up, the Tunnel Default Gateway is used for routing traffic coming through the VPN tunnel destined for the Inside network, for all other traffic the Default Gateway is used.
Tunnel default gateway is used for all traffic coming in THROUGH A VPN TUNNEL, so if you have any VPN tunnel traffic coming to the Concentrator it will try to Route it on its own, rather then sending it to a specific IP Address on the Inside.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :