Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

Sending traffic from VPN clients through the PIX to the Internet

Is it possible to send traffic from Cisco VPN clients to the Internet through the PIX firewall? I don't want to use split tunneling.

This is what is logged in the PIX:

106011: Deny inbound (No xlate) tcp src outside:x.x.x.x/3048 dst outside:y.y.y.y/23

x.x.x.x = VPN client pool

y.y.y.y = Server on the Internet

Can this be done at all or is there a limitation in the PIX firewall preventing this?

Thanks,

3 REPLIES
Cisco Employee

Re: Sending traffic from VPN clients through the PIX to the Inte

The PIX won't allow traffic to be routed out the same interface it came in on, that includes traffic coming in over a VPN tunnel and going back out unencrypted to the Internet.

You can do it if you follow this sample:

http://www.cisco.com/warp/public/110/client-pixhub.html

but it requires two external interfaces on the PIX (something you may not have), and with VPN clients the routing would be a nightmare, you'd have to add specific static routes for the VPN clients subnets, probably unworkable in the long run.

Short answer, no, you can't do it without doing split tunnelling. Keep in mind the VPN client has a built-in firewall in it now that will disallow any external connection from being accepted, negating most of the risks of split tunnelling. You can even have this firewall enabled all the time, even when the tunnel isn't connected, further securing your PC's.

Community Member

Re: Sending traffic from VPN clients through the PIX to the Inte

Is it possible to disallow VPN clients that don't have the integrated firewall enabled to connect to the PIX?

I know this is possible with a VPN concentrator, but is this possible with the PIX firewall?

Thanks.

Community Member

Re: Sending traffic from VPN clients through the PIX to the Inte

Although you can't do this directly you can if you have a proxy server on a dmz. In this case the client makes all it's connections to the proxy and the proxy makes all the internet connections. You don't then have to use split-tunnelling.

Andrew.

88
Views
5
Helpful
3
Replies
CreatePlease to create content