Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
273
Views
0
Helpful
3
Replies

web browsing through vpn

Go to solution
r.crist
Level 1
Level 1

‎10-03-2003 12:14 PM - edited ‎02-21-2020 12:48 PM

This Q has probably been presented a thousand times. So, I hate to make it a thousand and one, but here goes..

I have a vpn terminated on a pix-535. CLients authenticate and have access to internal resources with no problems. They cannot, however, browse the web through the tunnel. Split-tunnelling is not an option. I configured NAT for the range of vpn ip addresses and applied appropriate acls, but still no luck. Does the pix logically see this traffic as being sourced from his inside network, even though it's physically originating from the outside interface? Any suggestions/link will be appreciated.

Thanks,

Rich

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
l.mourits
Level 5
Level 5

‎10-03-2003 01:14 PM

Hello Rich,

I assume that you have your users coming in via an ipsec-tunnel on the outside interface, and you want them to connect to internet (which is also on the outside interface). If this is correct, then I´m sorry to disappoint you, but the PIX will never let packets leave the same interface that the packets did enter.

Retrospectively, a better choice would have been a VPN Concentrator for this. Only other option is to use split tunneling, or connect a second Internet uplink on another interface (if you have one available) on which the ipsec-tunnel terminates.

Sorry,

Leo

View solution in original post

0 Helpful
3 Replies 3

Go to solution
l.mourits
Level 5
Level 5

‎10-03-2003 01:14 PM

Hello Rich,

I assume that you have your users coming in via an ipsec-tunnel on the outside interface, and you want them to connect to internet (which is also on the outside interface). If this is correct, then I´m sorry to disappoint you, but the PIX will never let packets leave the same interface that the packets did enter.

Retrospectively, a better choice would have been a VPN Concentrator for this. Only other option is to use split tunneling, or connect a second Internet uplink on another interface (if you have one available) on which the ipsec-tunnel terminates.

Sorry,

Leo

0 Helpful

Go to solution
r.crist
Level 1
Level 1
In response to l.mourits

‎10-06-2003 03:49 AM

Hi Leo:

Thanks for the reply. I told my boss on Friday afternoon that by design firewalls won't forward traffic out the same interface it's received on. That's when I started wondering how the PIX views the tunneled traffic and posted this message.

Thanks again,

Rich

0 Helpful

Go to solution
a-janssen
Level 1
Level 1
In response to l.mourits

‎10-12-2003 06:55 AM

Hello Rich,

maybe you want to install a proxy server in your DMZ or internal lan. This advantage of this solution is, that you can also run some content checking and av on the web traffic.

Bye

Andre

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents