Re: PIX and VPN Client Config

gparrish · ‎07-14-2003

I am new to setting up a VPN client config on the PIX using a 515e and 6.1.4 software. I am using the config at the URL below and have a question on the ACL. If the internal network is actually using 10.1.1.0 for example in our network should I exlcude it from the ACL? We are using this address range for PAT with a couple of servers also (static/conduit). If this is the case I think I should just use 10.1.2.0 for the VPN clients right to bypass NAT? If this is the case how is routing handled between the subnets if they need to access the 10.1.1.0 once they connect over the VPN? I assume this is like a virtual subnet and the PIX will do all the work but wanted to make sure.

http://www.cisco.com/warp/public//110/pix3000.html

Thanks,

Greg

jins · ‎07-15-2003

Hi Greg,

I think what you did is correct. The NAT 0 cammand will just bypass the NAT/PAT. The routing between the VPN clients and the internal subnet will be taken care by the PIX, since you just have one internal subnet and that is directly connected to the PIX. Only for the outside (to internet) you would need a static route on the PIX. Hope this helps you.

Thanks

Jins

gparrish · ‎07-17-2003

I discovered the ACL is to be used for the NAT 0 command. The NAT 0 command is used to bypass NAT as the packets are routed from the inside subnet to the VPN subnet and thus do not need NAT. Read the ACL as from source to destination (duh) and this makes sense.

Thnanks Greg!

Greg