Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Multiple Site to Site VPN Connections

One of our VP's decided that it was a great idea that we connect to our clients via VPN for support solutions. We have approx 140 clients that we currently use 2 as5350's to dial into their systems. We have all kicked around the idea of giving the clients a 506e and we use a 515e w/ VPN acceleratior. Now I know we can get everyone connected but there is still some liability here also some IP addressing issues. If we do this is there away that the clients can configure logon hours or connection hours for support on their box so no one can access after hours unless they permit it? Also through a point-to-point is there away that after the tunnel is connect the end user in our company has to authenticate to either our PIX or the clients PIX? These are untrusted networks. Also we use a on our lan, so if I am not mistaken if we were to create a point-to-point no one on the back end can have the same address space, or either of the client s can have the same name space cause the PIX wouldnt know which VPN to send the traffic right? or can this be done through NAT rules. Any feed back would be appriciated.

My thoughts were install a 506e at the client site for remote VPN connections, then use the VPN client to connect in. To me this not only seems more secure to open one PC on our LAN to the client then to open all PC's to the connection.

My number one concern is security and viruses. not the ease of the connection.

Any imput would be appricated. Thanks



Re: Multiple Site to Site VPN Connections

With reference to your question of configuring logon hours or connection hours, you could use 'Time-Based ACLs' though I think that you can configure them on routers only. If that is indeed true, I guess you could configure the same on the perimeter routers. I found some information on configuring the same at Authentication for users can also be done. Sample configuration is available at Regarding your third query, it is possible to have overlapping addresses on either end and to use NAT to allow normal communication to take place. Hope this helps.