1. Home
  2. Cisco Systems
  3. VPN user going out same interface they came in

VPN user going out same interface they came in

Hi folks,

I know the limitations of the PIX that they can't pass traffic out of the same interface that that traffic originated on... but what about VPN traffic?

I have PC's on another network at a remote site, the remote site will connect to my HQ network using a VPN tunnel using my PIX 515E's outside interface, I want to allow Internet access to these remote site PC's but because of policy they must go through our HQ network Internet connection, this connection uses the same PIX 515E's outside interface. Is it possible for these PC's to do it? It seems to break the same interface rule, or because they are on the end of a VPN will it work?

I do know that with IOS 7 this rule can be broken so that sites on the end of 2 VPN's which terminate at a single PIX 515E's interface can talk to each other. but I don't think that rule applies here.

thanks Dave

Reply to
Dave
Loading thread data ...

It is possible. The keyword here is "split tunnel".

Regards, Christoph Gartmann

Reply to
Christoph Gartmann

But I thought split tunneling only allowed you to select which traffic will be put through the tunnel and which traffic wasn't. This would be ok if I didn't need to route the internet traffic through my HQ. Split tunneling would surely only work to produce the following...

Traffic for the HQ would get routed to the HQ, traffic for the Internet would leave that sites Internet gateway, this is not the desired affect.

cheers Dave

Reply to
Dave

Maybe I didn't understand your first posting completely?

remote PC ------ VPN-Tunnel ---- Pix ---- LAN ---- HQ

or

remote PC ------ VPN-Tunnel ---- Pix HQ -----------------+

If it is the former, all traffic to HQ will be routed into the LAN, traffic to the internet will be routed back to the interface where the VPN tunnel arrives (as this is the one with the WAN connection). This you achieve via a split tunnel.

Now if you have the latter scenario, there is a command ip route .... tunneled in software version 7.0 and above. There you might specific a default route for traffic that arrives from the tunnel.

Regards, Christoph Gartmann

Reply to
Christoph Gartmann

Hi Christoph,

this is how it is setup, sorry if I never explained correctly first time around.

remote PC | VPN Tunnel | | Internet Gateway | / | / |/ PIX | HQ

rgds Dave

Reply to
Dave

Ok, I see. Now all traffic from the tunnel that is not directed to HQ should go to the "Internet Gateway" and from there to the Internet, right? What routes do you have defined so far? I assume you have a default route to the "Internet Gateway" and a route to "HQ"? Is the tunnel to "remote PC" a dedicated one or is it a synonym for "road warrior"?

Regards, Christoph Gartmann

Reply to
Christoph Gartmann

Correct. Not got as far as defining routes etc yet. I want to make sure it's going to work first before buying the PIX.

Reply to
Dave

Then things are difficult, because I am not quite sure. To my opinion things will work, if the VPN tunnel is a dedicated one. If the tunnel is one that is established by various different users/PCs, then things will most likely work as well. You have a default route to the WAN and "tunneled" default route to HQ. But don't hold me responsible if I am wrong ;-)

Regards, Christoph Gartmann

Reply to
Christoph Gartmann

Hi christoph,

yes the tunnel is a dedicated one, so really the diagram looks like this

remote PC | Firewall/VPN Device | Router | VPN Tunnel | | Internet Gateway | / | / |/ PIX | HQ

so all PC's at the remote site use the same tunnel.

Reply to
Dave

So VPN-tunnel and Internet Gateway arrive at the same interface of the Pix? HQ is connected via a different interface? If it is like that, this is a typical scenario for a split tunnel.

Regards, Christoph Gartmann

Reply to
Christoph Gartmann

Yes, so if add a split tunnel which basically states that everything going to 0.0.0.0 will be tunneled, the remote PC's will be routed back through the same interface but to the internet if I have a default route setup?

thanks Dave

Reply to
Dave

Corret.

Regards, Christoph Gartmann

Reply to
Christoph Gartmann

thaks very much for your help Christoph, I'll try this setup when the PIX arrives on Tuesday.

Dave

Reply to
Dave

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.