10-03-2003 12:14 PM - edited 02-21-2020 12:48 PM
This Q has probably been presented a thousand times. So, I hate to make it a thousand and one, but here goes..
I have a vpn terminated on a pix-535. CLients authenticate and have access to internal resources with no problems. They cannot, however, browse the web through the tunnel. Split-tunnelling is not an option. I configured NAT for the range of vpn ip addresses and applied appropriate acls, but still no luck. Does the pix logically see this traffic as being sourced from his inside network, even though it's physically originating from the outside interface? Any suggestions/link will be appreciated.
Thanks,
Rich
Solved! Go to Solution.
10-03-2003 01:14 PM
Hello Rich,
I assume that you have your users coming in via an ipsec-tunnel on the outside interface, and you want them to connect to internet (which is also on the outside interface). If this is correct, then I´m sorry to disappoint you, but the PIX will never let packets leave the same interface that the packets did enter.
Retrospectively, a better choice would have been a VPN Concentrator for this. Only other option is to use split tunneling, or connect a second Internet uplink on another interface (if you have one available) on which the ipsec-tunnel terminates.
Sorry,
Leo
10-03-2003 01:14 PM
Hello Rich,
I assume that you have your users coming in via an ipsec-tunnel on the outside interface, and you want them to connect to internet (which is also on the outside interface). If this is correct, then I´m sorry to disappoint you, but the PIX will never let packets leave the same interface that the packets did enter.
Retrospectively, a better choice would have been a VPN Concentrator for this. Only other option is to use split tunneling, or connect a second Internet uplink on another interface (if you have one available) on which the ipsec-tunnel terminates.
Sorry,
Leo
10-06-2003 03:49 AM
Hi Leo:
Thanks for the reply. I told my boss on Friday afternoon that by design firewalls won't forward traffic out the same interface it's received on. That's when I started wondering how the PIX views the tunneled traffic and posted this message.
Thanks again,
Rich
10-12-2003 06:55 AM
Hello Rich,
maybe you want to install a proxy server in your DMZ or internal lan. This advantage of this solution is, that you can also run some content checking and av on the web traffic.
Bye
Andre
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: