Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

Sample configuration for a PIX-to-PIX split-tunnel VPN

I currently have two private networks connected together via a VPN tunnel with PIX 501s at both ends.

The remote site (I am at the central office) has a cable connection of their own, but at present they are routing all their data (including web traffic) over the VPN to my location, which then goes out to the internet via our T1.

Because I've already got a 'regular' VPN setup, I was wondering if someone here could please help me with a sample configuration to turn the existing VPN into a 'split-tunnel', whereby any of their traffic NOT destined for 172.16.0.0 goes out through their 66.33.x.x (cable modem) address?

Thanks :-)

Chris

1 REPLY
Community Member

Re: Sample configuration for a PIX-to-PIX split-tunnel VPN

Hi Chris

You can solve this by ajusting the NAT confiuration and the crypto ACL you are using.

Use NAT 0 with a ACL to not do natting between your sites.

Use NAT 1 and Global 1 to NAT your Remote office traffic to go straight to the internet.

The crypto ACL sould in your case only permit IP Addresses on your Central office and the Remote office (as source and destination), and not "any" IP.

As a hint I would use different ACL -names or numbers for the NAT-ACL and Crypto-ACL, even though these two ACL's in your case probably would be equal. PDM has problems with "Double-usage" of ACL's....

Here is an example:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094761.shtml

Greetings

Jarle

117
Views
0
Helpful
1
Replies
CreatePlease to create content