Cisco Support Community
Community Member

vpn and internet acces

Head office with a PIX 520 and a router as a gateway

to the internet. 17 branch offices with PIX506 and

a router as a gateway to the internet. VPN works fine

to head office, but as others we would like to have all internet taffic going through head office. My

cisco distributor says it no problem, however I can't

get it to work. Others say I won't get it to work, because PIX are only "forwarders" and not routers.

Can someone give me a final answer ??

Best regars Lars

Cisco Employee

Re: vpn and internet acces

When a PIX receives a packet from an interface, it will never redirect the packet out the same interface again. You will see the system message "Deny selfroute".

In a PIX design you should use split tunneling at the remote sites, to allow internet traffic to flow directly from the remote sites to the external networks, without using the VPN tunnel to the central site.

If you must send all traffic to the central site, due to security policy considerations, you must make sure that your central PIX has an alternative route to the internet, that does not use its outside interface, or the interface that the VPN arrive through.

CreatePlease to create content