Build the tunnel first. Use HQ or RO dns. Make sure users cannot HTTP direct through firewall, enable direct HTTPS trough it if you want. MAybe also no ftp etc, no direct dns?
I believe you need an inside next hop proxy-server. Until 6.2 atleast pix does not route ip between 2 ipsec tunnels. User's Get request forwarded to deamon through tunnel, fetched from cache or Inet, reply to browser through tunnel. Proxy will also do a nice job filtering mobile code and keeping surfing behaviour in line with policies. I'd say you should already should have it. Martijn -----Oorspronkelijk bericht----- Van: johnman johnman [mailto:[EMAIL PROTECTED] Verzonden: dinsdag 5 augustus 2003 23:06 Aan: [EMAIL PROTECTED] Onderwerp: Access Internet via the corporate PIX [7:73563] I am building a vpn tunnel PIX-to-PIX both connected to the internet. I would like theusers at the remote site to access the internet only via the the corporate PIX. Remote PIX 501: Inside net 192.168.2.0/24 outside x.x.x.x Corporate PIX 515: Inside net 192.168.1.0/24 outisde IP y.y.y.y How would I build the access-list to force the remote users behind the PIX 501 to access the internet via the PIX 515 at the corporate site ? _________________________________________________________________ STOP MORE SPAM with the new MSN 8 and get 2 months FREE* http://join.msn.com/?page=features/junkmail **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=73601&t=73563 -------------------------------------------------- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html