Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Remote Access VPN Configuration + U-Turn

I have configured Remote Access VPN on a PIX 515E running PIX OS 7.2(2). I am able to connect via the Cisco VPN Client, and pass traffic to the Internet but it appears to be U-turned rather than sent to another device for inspection. I have enabled the feature to send all VPN traffic to an inside host rather than having the firewall re-route it (Tunnel-default gateway), but it still acts like it is Split-Tunneling/U-Turn. We need this traffic to be inspected by an Internet Filtering appliance to ensure our users adhere to our policies while on our LAN. I am able to access everything on our LAN just fine, but once I go to the Internet, it is as though I am connected directly to Internet and not passing through our filters. Any suggestions on where to look in my configuration would be a great help.

3 REPLIES
Green

Re: Remote Access VPN Configuration + U-Turn

Is your internet filter outside the firewall, if so then you could do public internet on a stick.

http://cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00805734ae.shtml

Just read your post more clearly, I think your filter is on the inside? correct?

Cisco Employee

Re: Remote Access VPN Configuration + U-Turn

Hi,

The tunnel default gateway should point to the filter (Make sure the filter's ip is of the same subnet as of Inside Intf).

The filter's default gateway should again be the ASA's inside interface.

Disable "ip verify reverse-path" on inside interface.

Create a NAT rule on inside for VPN client pool. E.G.

nat (inside) 1

global (outside) 1 interface

Remove any exisitng "nat (outside)...." rules, which are required only when you U-turn the traffic.

HTH,

-Kanishka

New Member

Re: Remote Access VPN Configuration + U-Turn

FYI, the recommended fix above does not work.

261
Views
0
Helpful
3
Replies
CreatePlease to create content