Home 2 Lan IPSec VPN Tunnel with an Pix

Unanswered Question
Mar 16th, 2007
User Badges:

My home network is the internal network for work is Is there a setting in the Pix that will either change the Home's IP address to something else after creating the VPN tunnel so that I can actually talk to IPs on the work network or do I have to just change my IP scheme over to for home? I would hope there would be a command to avoid having to do in the Pix.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Jon Marshall Sat, 03/17/2007 - 12:36
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN


Yes you can hide all your 192.168.1.x IP addresses at home behind your public IP address of the outside interface on your pix.

So you would need to NAT all your private 192.168.1.x addresses

nat (inside) 1

global (outside) 1 interface

Then in your crypto map access-list that define interesting traffic for the VPN tunnel

access-list vpn_traffic permit ip host "public IP of your pix""

Your home pix will NAT your 192.168.1.x addresses to the public ip of your pix then encrypt them and send them to your work site.

** Note that this solution assumes that all connections will be initiated from your home network to work. If you need to be able to initiate connections from work to home it can still be done but it is a more complicated configuration **

Let me know if you need more info.



ixholla69 Sat, 03/17/2007 - 17:20
User Badges:

I was looking at the command "IP Pool" is it possible when the User initiates a VPN connection to the Pix to make the Pix send a "Pooled IP" address of something else maybe?

Say for instance the Home user has a address would it be possible to have the Pix send them a totally different address to use? Maybe something in the Range? That'd probably be a little better for my case if that's possible.

Kamal Malhotra Sat, 03/17/2007 - 20:41
User Badges:
  • Cisco Employee,


We have 3 main options.

1. We nat on the PIX (home device) and on the work device.

We nat it in such a way that when the traffic is going from home to work it appears as and when the traffic is going from work to home it appears as So the home actually access the network the work accesses the network. On the home PIX commands should look like :

access-list policy permit ip

static (inside,outside) access-list policy

access-list vpn permit ip

The second acl is the crypto ACL that is bound with the crypto map. You will get bidirectional traffic.

2. Implement the previous suggestion. The traffic will be uni-directional i.e. only the home will be able to access the work and NOT vice-versa.

3. Change the IP addressing of the home network.


Please rate if it helps,



ixholla69 Sat, 03/17/2007 - 23:33
User Badges:

No no I think I didn't make myself clear there's no "Home Pix" it's just Home Initiating a VPN connection to the Pix at work.



Is there a way to make it so that the Workpix

makes the Home192.168.1.1 Connection another IP address say That way I could comminicate with the Network on the other side of the WorkPix with no problems.

Sorry for the confusion

kaachary Sun, 03/18/2007 - 07:36
User Badges:
  • Cisco Employee,

I guess it would be best to change your home network to something other than (Its highly recommended).

As with or without split tunneling, the directly connected network route will always take precedence, so you would not be able to communicate with your office network.

Change your local subnet, and the communication would be fine.

*Please rate if helped.



This Discussion