I don't think you can get traffic from VPN clients to route through the tunnel back out to the Internet. On the ASA you can use the 'same-security-traffic permit intra-interface' command. On the older devices, all you can do is make sure that the end user can't surf the Internet while connected to the VPN.
Mike -- Michael K. Smith - CISSP, GSEC, GISP Chief Technical Officer - Adhost Internet LLC mksm...@adhost.com w: +1 (206) 404-9500 f: +1 (206) 404-9050 PGP: B49A DDF5 8611 27F3 08B9 84BB E61E 38C0 (Key ID: 0x9A96777D) > -----Original Message----- > From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp- > boun...@puck.nether.net] On Behalf Of Jeff Kell > Sent: Friday, May 14, 2010 2:32 PM > To: cisco-nsp > Subject: [c-nsp] VPN (hopefully quick) question... split vs nosplit > tunnel > > I have an old PIX 515E that has been serving as a VPN endpoint for more > years than I can remember, but bottom line is I haven't touched the > config in ages. > > All of the configured VPN groups are split-tunnel configurations, > bringing only selected internal networks in from the client. > > I'm trying to setup a new profile without split-tunnel configured, so > that all traffic goes through the tunnel (and thus encrypted, for those > WiFi / cleartext wireless cases). > > I think everything is up and working, authentication is good, tunnel > setup on client is good, a default gateway to the tunnel is set in the > client, inside traffic works as expected. > > But no internet traffic. I would have "expected" it to come in, bounce > back out through NAT on the way outside, and all would be well. But > such is not the case. > > The VPN pool addresses appear marked on the "outside:" interface, and > despite a default route that points to the upstream border router, I'm > getting: > > 110001: No route to <the.outside.ip.address> from > <the-tunnel-pool-address> > > What is the missing "glue" to let the traffic pass outside? Or am I > missing something else entirely? > > Jeff > > > vpngroup no_split_tunnel address-pool VPN_NETADMIN2 > vpngroup no_split_tunnel dns-server ns1 ns2 > vpngroup no_split_tunnel default-domain utc.edu > vpngroup no_split_tunnel idle-time 1800 > vpngroup no_split_tunnel password ******** > > Other VPN groups have: > > vpngroup split_group split-tunnel split-tunnel-routes-ACL > _______________________________________________ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/