Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VPN client default route

I have a pix 515 and am using the vpn client 3.5.1 to connect users from the internet. Currently I have a split tunnel that puts 10./8 traffic over the vpn and everything else over the local network. What I would like to do is break the tunnel and have all the clients traffic either go through the pix or forward out to my netbsd gateway. Can anyone help with this.

Toby

  • Other Security Subjects
4 REPLIES
New Member

Re: VPN client default route

I am not sure what the netbsd gateway is but I've found that the PIX VPN won't forward traffic out the same port it came in on. If the netbsd is some kind of proxy server I'd think you could use it for the VPN users but I'm just guessing on that one. You can enable the "stateful firewall" on the client which would add some security to the remote node.

New Member

Re: VPN client default route

This is essentially how we are layed out:

Internet

|

------------------

| |

PIX NetBSD

| |

------------------

|

Internal Network

The VPN connections come into the pix, but all internal network traffic goes out the netbsd. I want to be able to disable local lan access on the vpn client and have the clients internet traffic go through the PIX and out the netbsd. I can always set the proxy server option on the client and then http goes through the squid on the netbsd, but I would like to be able to route all the traffic not just proxy http. Thanks for your help, at least now I can narrow it down a bit.

New Member

Re: VPN client default route

If I understand you correctly, you want all of your VPN traffic to go back out thought the PIX to access the Internet. Is this to prevent the user from having unsecured connections while connected to your Private net? The only problem with your layout is that the PIX isn't a router. It cannot re-route traffic out of an interface that it came in on. So users coming in on (Outside) via the VPN to access (inside/DMZ, whatever) cannot go back out through (Outside) to access the web.

New Member

Re: VPN client default route

You have got the general idea, but I can also live with routing all traffic to the netbsd box, which is on the inside interface, and out to the internet that way. Can I do that?

109
Views
0
Helpful
4
Replies