VPN 3000 Configuration Question

flaquerre · ‎11-12-2003

Hi

I would like to know if this configuration is possible:

I have 2 devices at the entrance of the internet: 1st is a PIX Firewall and the other is a VPN Concentrator 3000. EZ Vpn client connect to the vpn concentrator. I would like to have traffics destined for the internet coming from the VPN clients to go throught the VPN, the internal network then going out throught the PIX firewall so I can manage the internet traffic of my EZ VPN Clients.

So, in short, I would like to set the default gateway of the tunneled traffic coming from the Client to the inside interface of my pix.

Is that possible?

Frederick Laquerre

gfullage · ‎11-12-2003

Sure, a lot of customers do this. Set the Tunnel Default Gateway on the concentrator to be the PIX's inside IP address. Then on the PIX add a route for the VPN pool of addresses pointing to the private interface of the 3000 (this is for the return traffic from the Internet). Also make sure the VPN pool of addresses is included in the nat commands on the PIX so that they'll be able to go out through it.

That should be all you need to do. This assumes of course that the two devices are connected in parallel. If the 3000 is connected to the DMZ of the PIX say, then the similar config stands but point the TDG to the DMZ address of the PIX obviously, and add a "nat (dmz) 1 " command into the PIX. You get the idea.