PIX : provide Internet access to VPN clients without split tunnel

Discussion in 'Cisco' started by free, Dec 16, 2004.

  1. free

    free Guest

    I want to provide Internet access to my VPN users without using split
    tunnel. I know that it is not possible to route traffic by the same
    interface as the packets come in. So I set up a default route to an another
    interface. But...in that case, during ISAKMP negociation, packets are routed
    to this default route and VPN client are unable to get answer. How can I set
    up in Pix rules that IPSEC packets should be routed to the VPN interface.

    I hope the schema below will help to understand my poor english :




    Internet ------- Linux router ----- Pix Firewall ----- Internal LAN
    |
    |
    |
    Internet (VPN client access)


    Thank you in advance for your advices or recommandations.
     
    free, Dec 16, 2004
    #1
    1. Advertisements

  2. free

    Tosh Guest

    Re: provide Internet access to VPN clients without split tunnel

    >I want to provide Internet access to my VPN users without using split

    The only thing I can think of is a proxy in the internal lan.
    Bye,
    Tosh.
     
    Tosh, Dec 17, 2004
    #2
    1. Advertisements

  3. In article <41c178e0$0$11878$>,
    free <> wrote:
    :I want to provide Internet access to my VPN users without using split
    :tunnel. I know that it is not possible to route traffic by the same
    :interface as the packets come in. So I set up a default route to an another
    :interface. But...in that case, during ISAKMP negociation, packets are routed
    :to this default route and VPN client are unable to get answer. How can I set
    :up in Pix rules that IPSEC packets should be routed to the VPN interface.

    You can't do anywhere close to that kind of policy routing.

    See the below for ideas:

    http://groups.google.ca/groups?selm=c53rla$76q$
    --
    Most Windows users will run any old attachment you send them, so if
    you want to implicate someone you can just send them a Trojan
    -- Adam Langley
     
    Walter Roberson, Dec 17, 2004
    #3
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.