Solved: Re: network-extension vs client mode

george · ‎09-21-2006

i am looking to set up a VPN connection between ASA5510 (VPN server) and Cisco831 (hardware client). i am not sure what are the differences between network-extension mode and client mode. can anyone shine some light on this topic? in particular, with network-extension mode, does all the traffic go through the tunnel - including DHCP requests?

Aaron Harrison · ‎09-21-2006

Hi

In either mode you can control what goes through tunnel via ACLs.

The difference between client and net-extension mode is that in client mode:

The router starts the VPN connection, and is allocated a single IP from the ASA/PIX/VPN Concentrator you are connecting to. All traffic from clients is then PATted to this address. This means that connections can only be initiated from clients on the branch to the HO for example...

In network-extension mode:

The router starts the VPN connection, but instead of PATting all traffic to a single pool IP, traffic is sent accross without NAT. This means that the tunnel is more of a LAN-to-LAN connection, where devices at the head office can initiate connections to devices over the VPN (e.g. print servers can print to printers etc)

Regards

Aaron

Please rate helpful posts...

Aaron Please remember to rate helpful posts to identify useful responses, and mark 'Answered' if appropriate!

View solution in original post

Aaron Harrison · ‎09-21-2006

Hi

In either mode you can control what goes through tunnel via ACLs.

The difference between client and net-extension mode is that in client mode:

The router starts the VPN connection, and is allocated a single IP from the ASA/PIX/VPN Concentrator you are connecting to. All traffic from clients is then PATted to this address. This means that connections can only be initiated from clients on the branch to the HO for example...

In network-extension mode:

The router starts the VPN connection, but instead of PATting all traffic to a single pool IP, traffic is sent accross without NAT. This means that the tunnel is more of a LAN-to-LAN connection, where devices at the head office can initiate connections to devices over the VPN (e.g. print servers can print to printers etc)

Regards

Aaron

Please rate helpful posts...

Aaron Please remember to rate helpful posts to identify useful responses, and mark 'Answered' if appropriate!

ajagadee · ‎09-22-2006

George,

Eventhough your question is for a C831, please refer the below information on NEM and Client Mode for VPN3002. The concept is the same.

What is the difference between the network extension mode and the client mode for the VPN 3002 Hardware Client?

A. Network extension mode allows the VPN 3002 Hardware Client to present a full, routable network to the tunneled network. IPSec encapsulates all traffic from the VPN 3002 Hardware Client private network to networks behind the central-site VPN 3000 Concentrator. Either side can initiate data exchange. Devices on either side know each other by their actual addresses.

Client mode, also called Port Address Translation (PAT) mode, isolates all devices on the VPN 3002 Hardware Client's private network from those on the corporate network. When the devices behind the VPN 3002 Hardware Client initiate connections to the network behind the central site VPN 3000 Concentrator, the VPN Concentrator assigns IP addresses as the connections come up.

REFERENCE:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_q_and_a_item09186a00801c2dc1.shtml#q4

Let me know if it helps.

Regards,

Arul

puagarwa · ‎09-24-2006

you can configure split tunnelin policy on ASA/3000 for the particular group on the router is connecting....in that case only traffic for the specific subnets which you have pushed in the split tunneling list will be included.