Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN client access internet via HQ tunnel

Hi,

Right now I hv a vpn client logging into a 2811 HQ, I would like to have the vpn client to surf internet via the 2811 internet access line. The reason is that the internet connection for the vpn client user is bad however the connection to the 2811 box is ok and the 2811 has a good internet access.

How can I configure such that the vpn client will log into HQ2811 and access internet via HQ2811 internet line.

Take note the termination point for vpn and internet access is the same meaning only 1 wan link on the 2811

7 REPLIES
New Member

Re: VPN client access internet via HQ tunnel

Hi Allanl,

I can just say that with PIX 6.x OS you can't have the Packet return from the interface it has entered, however with IOS Firewall I'm not sure.

Could you please check the properties of the IOS Firewall and could probably configure a static route for the guys who come from the ADSL IPSec tunnel and return from the same interface on the Router to Internet.

If the IOS Firewall doesn't allow this configuration then you need to have a separate connection to Internet / IPSec VPN from the ADSL Clients.

New Member

Re: VPN client access internet via HQ tunnel

Hi

I get what you mean, this is also what I need to find out from the user in indonesia. But in the mean time just to find out whether this is feasible.

Thanks

Gold

Re: VPN client access internet via HQ tunnel

just couple quick comments.

router doesn't have the "no re-route back to the same interface" restriction.

you mentioned, "The reason is that the internet connection for the vpn client user is bad". just wondering how would it help providing the remote vpn connection is still going to rely on the vpn user (home) internet.

e.g. if the home internet keeps drop, the remote vpn connection will be dropped as well as the internet browsing via the router.

Gold

Re: VPN client access internet via HQ tunnel

it's feasible.

one option is to disable split tunnel (i.e tunnel everything), and configure a proxy server at the head office.

another option is to disable split tunnel, and configure a loop back address for vpn client pool to nat/pat.

Bronze

Re: VPN client access internet via HQ tunnel

Hi Jackko,

In the second option, which will be the nat inside interface?

Any means this can be achieved in VPN Concentrator??

Regards,

Shijo George.

Gold

Re: VPN client access internet via HQ tunnel

the nat inside will be on the loopback interface.

with concentrator, you need to configure tunnel default gateway (configuration > system > ip routing > default gateway), which usually is the internal router.

New Member

Re: VPN client access internet via HQ tunnel

Hi Jakko,

Then what will be the ip range for the loopback interface , same as the vpn client pool? Then the acl we just allow this range for the nat?

thks

301
Views
4
Helpful
7
Replies
CreatePlease to create content