Hello,
with a Pix515 and software 7.2(2) I would like to achieve the following:
There are two different user groups. Each group connects to the Pix via Cisco's VPN-Client. Thus, there are two different tunnel groups. Each tunnel group has its own address pool, one is derived from 192.168.10.x and the other one from
192.168.20.x. In addition there are two virtual interfaces belonging to two different VLANs (192.168.10.253 and 192.168.20.253 respectively). So the users of each group end up in their own VLAN. So far things work as expected.Each VLAN has its own router/default-gateway. And now here is the problem: The Pix has a default route of route outside 0.0.0.0 0.0.0.0 1.2.3.4 1 (Note that 1.2.3.4 is a fictive address.) This statement is necessary in order to have the VPN-traffic routed back to the clients. But the decrypted traffic should be routed depending on the tunnel-group from where it originates, e.g. all traffic from the first tunnel group to the default gateway of the corresponding VLAN (through the appropriate virtual Pix interface) and all traffic from the second tunnel group to the default gateway of the second VLAN (again to the other virtual Pix interface). Is this possible?
When I add a statement like the following route vlan1-interface 0.0.0.0 0.0.0.0 192.168.10.254 tunneled things for the first tunnel group work as expected. But of course packets from the second tunnel group never reach their destination as 192.168.10.254 is on the wrong VLAN :-(
Any ideas?
Regards, Christoph Gartmann