Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Access to internet by a external firewall and PIX for tunnel


I have a Pix 501 that establish a tunnel with a VPN 3000 Concentrator. I need that people who works in the network of Pix can access to Corporate applications through the tunnel, but also they need navigate through an external firewall, and not use the tunnel for their access to internet. How can I get this?

I think that is a route problem

The tunnel works fine. So I only trancript the other part of the configuration.

access-list 102 permit ip

ip address outside

ip address inside

nat (inside) 0 access-list 102

------this is the ip address of the external firewall--------

route inside 1


route outside 1

---this is the IP of the router of the Internet service provider ---

sysopt connection permit-ipsec

Thanks in advance


Re: Access to internet by a external firewall and PIX for tunnel

instead of configuing "route outside", it would be better just to configure a default gateway pointing to the isp.


no route outside

route outside 0 0

with this route configured, pix will forward all outbound packet to the isp.

further, to browse the internet, you would need to nat/pat the lan to a public ip as well.

e.g. to configure pat for internet browsing:

global (outside) 1 interface

nat (inside) 1 0 0

providing you configure the default route and the nat/global statement, and the acl 102 is used as the interesting traffic for the lan-lan vpn, then local user should be able to browse internet directly.

CreatePlease to create content