Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

web browsing through vpn

This Q has probably been presented a thousand times. So, I hate to make it a thousand and one, but here goes..

I have a vpn terminated on a pix-535. CLients authenticate and have access to internal resources with no problems. They cannot, however, browse the web through the tunnel. Split-tunnelling is not an option. I configured NAT for the range of vpn ip addresses and applied appropriate acls, but still no luck. Does the pix logically see this traffic as being sourced from his inside network, even though it's physically originating from the outside interface? Any suggestions/link will be appreciated.

Thanks,

Rich

1 ACCEPTED SOLUTION

Accepted Solutions
Silver

Re: web browsing through vpn

Hello Rich,

I assume that you have your users coming in via an ipsec-tunnel on the outside interface, and you want them to connect to internet (which is also on the outside interface). If this is correct, then I´m sorry to disappoint you, but the PIX will never let packets leave the same interface that the packets did enter.

Retrospectively, a better choice would have been a VPN Concentrator for this. Only other option is to use split tunneling, or connect a second Internet uplink on another interface (if you have one available) on which the ipsec-tunnel terminates.

Sorry,

Leo

3 REPLIES
Silver

Re: web browsing through vpn

Hello Rich,

I assume that you have your users coming in via an ipsec-tunnel on the outside interface, and you want them to connect to internet (which is also on the outside interface). If this is correct, then I´m sorry to disappoint you, but the PIX will never let packets leave the same interface that the packets did enter.

Retrospectively, a better choice would have been a VPN Concentrator for this. Only other option is to use split tunneling, or connect a second Internet uplink on another interface (if you have one available) on which the ipsec-tunnel terminates.

Sorry,

Leo

New Member

Re: web browsing through vpn

Hi Leo:

Thanks for the reply. I told my boss on Friday afternoon that by design firewalls won't forward traffic out the same interface it's received on. That's when I started wondering how the PIX views the tunneled traffic and posted this message.

Thanks again,

Rich

New Member

Re: web browsing through vpn

Hello Rich,

maybe you want to install a proxy server in your DMZ or internal lan. This advantage of this solution is, that you can also run some content checking and av on the web traffic.

Bye

Andre

89
Views
0
Helpful
3
Replies
CreatePlease to create content