I have a number of remote users VPNing into our internal network through a Cisco PIX endpoint. Currently, their web traffic is directed through their remote user VPN tunnel to a proxy server. For example, their browser points to the proxy server, and the proxy communicates out.
I would like to change this configuration so that web traffic goes out another firewall that does not function as a proxy. This firewall will be used for logging and filtering, so I do not want to use split tunneling to allow remote users to directly access the internet, and I would prefer that web traffic not go right back out the PIX.
I'm running into a routing problem on the PIX. The PIX's default route is on its outside interface, so that it can communicate with any remote user. It has static routes defined on its inside interface to access internal network resources, including the proxy server mentioned above. However, when web traffic (with random IPs) is sent from a remote user down their VPN tunnel, there is no internal route on the PIX directing this traffic to the new firewall.
If I could define a different default gateway for remote user VPN tunnels, that might do the trick. Forgive me if I'm missing something obvious...