Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 716
  • Last Modified:

Cisco Pix IPSec VPN


I have this problem I hope someone is able to answer me.

Over here on the company we use a router and a pix firewall the setup is as follows:

|| INTERNET ||----|| Router ||----|| PIX ||----|| LAN ||

Everything is well. We have internet from the inside -> out. Our webserver is reachable from the outside, so is our mailserver.

Also are our homeworkers able to establish a connection to the pix (Cisco Secure Firewall Pix 515 Software Version 6.2 PDM version 2.11) using an IPSec tunnel. They all use Cisco Secure VPN Dialer 3.x
I have currently activated splittunneling but for safety I want to turn this off and make all clients access the internet through the corporate network.

Is there anyone that is able to provide me with a config example of how to achieve this. I am not posting my running config because I don't see the advantage of that. I just need a example config.

Ofcourse any help would be appreciated. :D
  • 3
  • 2
1 Solution
MaartenSAuthor Commented:
Thanx mate but I allready tried that one...
You can disable split-tunneling just by removing the vpn group split-tunnel line in the config.
Now the real problem is that you want the users to still be able to browse the internet while connected to the PIX, but using your corporate Internet connection, with all the controls and restrictions as for anyone within the LAN? Is this your only firewall?
The issue is that a PIX will not re-direct a packet back out the same interface that it came in on. Example,
My VPN client want's to go to www.cisco.com. That request gets resolved to the proper external IP address, then the packet comes into the PIX from the outside, with a destination point that is also outside, so it requires a re-direct.

If  you have another firewall for outgoing, then you run into a routing issue.

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

MaartenSAuthor Commented:
No we have 1 internet connex with 1 router and 1 pix.

As said the clients come in on the same pix that all the internet traffic has to go out through...

So your telling me that is not possible?
To my knowledge (and vast PIX experience), it is not possible on the PIX.
You could use a VPN concentrator to terminate the VPN, and route the traffic back out through the PIX. Sort of like this:
            / -VPN-----|
Router--|               |---LAN---
            \ -PIX-------|
MaartenSAuthor Commented:
Thanx I will look into it...

Featured Post

Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now