We had trouble at an account that recently installed a concentrator to terminate remote users via IPSEC tunnels. No problem there. Problem was all users default gateway points to the trusted interface of the PIX. Inbound users once authenticated and placed on the LAN were directed to the PIX by the servers that they needed (email) instead of the path via the concentrator. PIX cannot have a static route on trusted interface, nor do ICMP redirects. Has anyone run into this, or have any workable configs?
I am wondering if a layer 3 switch is needed to sit behind the PIX and the VPN concentrator.
Re: Problems with PIX in parallel to VPN concentrator
Rather common problem that we see. Yes, the PIX will not redirect packets back out the same interface where they were received. The work-arounds for this are to either add a layer 3 device inside the PIX and concentrator and change the default gateway on the internal LAN to this device. This new device would be responsible for making the routing decision of where to send the packet next. I have seen people do this with a single interface 2500. Obviously, an L3 switch would be better but you are not limited here.
One other option (if you have a PIX with multiple interfaces) is to hang the concentrator off of a DMZ interface on the PIX. This way, the PIX would not need to redirect the packets to the concentrator but could rather route them to the appropriate interface. Sorry for the problems but this is a design flaw that a lot of people make.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...