Internet Access through VPN

[FLWPG]

Let me see if I have this straight.....

The pix will not re-route traffic on the same interface it came in on, so if I am using my PIX as the termination point of my VPN, I can not access the internet at the same time without split-tunneling correct?

That being said, if setup the PIX to do VPN pass-through and have it terminate on a VPN server inside my network, these users should then be able to access the internet supposing I have my ACL and NAT setup correctly because the request would be intiated on my inside interface going to my outside interface, is this correct?

 

[chicocouk]

Yes. Alternatively you could terminate the vpn on the pix, and have a web proxy server setup on the lan behind the pix, and have that in the proxy settings of your clients. They would then request a webpage from the proxy server, which then makes an outbound connection through the pix from the lan, and achieves the same thing.

CCNA, MCSE, Cisco Firewall specialist, VPN specialist, wannabe CCSP

 

[FLWPG]

Thanks, that's a good idea regarding the proxy, I am planning to implement a squid proxy for my internal users and can point my vpn users to it.....

Which brings a second question for my inside network, can I use the pix to redirect port 80 to my squid box if my squid box is on the inside interface as well? I suppose that it can't since that would mean re-routing traffic to the same interface it came in on.

 

[chicocouk]

You can't, but you can block all

http://www traffic

through the pix from anything apart from the squid box, which will achieve the same thing (assuming i'm understanding what you're trying to do, which I think is prevent users from changing their gateway to the pix, and getting out to the web without going through the proxy server)

CCNA, MCSE, Cisco Firewall specialist, VPN specialist, wannabe CCSP