Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

How can I redirect a VPN users Internet traffic through our PIX?

Status
Not open for further replies.
skhoury

skhoury

IS-IT--Management
Nov 28, 2003
386
US
Hello all,

I have a PIX515 setup with a VPN already built. I have split tunnelling disabled on the device. The client laptops are using the Cisco VPN Client. When they are connected via the VPN client they loose access to the internet, but gain access to our internal network.

Does anyone know what needs to be done to the PIX to allow internet traffic to traverse through our PIX so the end user doesnt really know the difference. Maybe an access-list or such?

Many thanks!

Sam
 
Sort by date Sort by votes
Hello Sam,

What version of PIX software are you running? What you're describing is a new 7.0 feature. Prior to 7.0 you either have to set up split tunneling to let your users access the Internet or let them know while accessing the VPN they'll only have access to inside resources.

If you are running 7.0, check out step 18 for more info.

I tried to get this to work on a 6.3 PIX and wasted a couple hours doing things with NAT and the VPN ACLs. I hate split tunneling for security reasons, but for now (6.3) it's the only solution that my users can live with.

Joe
 
Upvote 0 Downvote
Hi Joe - Im currently running PIX 6.3, and just as you mentioned i'd rather not use Split Tunneling for security reasons. How hard was it to implement the NAT and VPN ACL rules to accomdating this sort of routing? Would you mind posting those commands?

Thanks Joe,

Sam
 
Upvote 0 Downvote
Hey Sam,

It isn't possible. With 6.3 you either have to enable split tunneling or have your users deal with not being able to connect to the Internet while VPNed to the PIX.

Joe
 
Upvote 0 Downvote
As stated with 6.3 the only solution through the PIX itself is use of split tunnelling. However if you require this you could utilize an internal squid proxy or similar and automatically push the browser setting to enable that proxy when they login .

This would grant them the access to the internet they desire without the security concerns of split tunnelling.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
269
Sameer258
Sameer258
Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
351
Shmid
Shmid
intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
282
intel233
intel233
Russtoleum
  • Locked
  • Question
SW GVC won't route traffic through sonicwall to offsite tunnel unless it leases an ip on the same su
Replies
1
Views
91
Russtoleum
Russtoleum
WhosYourDiffie
  • Locked
  • Question
Cisco ASA 5506 VPN for Avaya Phones
Replies
0
Views
86
WhosYourDiffie
WhosYourDiffie

Part and Inventory Search

Sponsor

Back
Top