Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

VPN client configuration

I am trying to configure two firewalls for a site-to-site vpn. I also want both of the firewalls (Cisco 515E) to support remote vpn clients (3.6). The goal is to provide backup access to servers at the central site through the point-to-point T1 between the sites if I lose my Internet connection at the central site. The site-to-site vpn will be used in the event the point-to-point circuit fails.

I can get the remote vpn connected to the central site and run my apps (terminal services), ping clients on either side of the point-to-point T1 via their private address, and telnet to the firewall external interface. And I can get the remote vpn connected to the other site and telnet to the firewall's external interface, but cannot run my applications or ping anything on either network. I have stared at the configurations for each location for several hours and can't see any issues with either the acls or the vpngroup configurations. The acls and vpngroup configs are virtually the same.

1. Can what I'm doing be done (a site-to-site and remote vpn to each)?

2. How do you configure the firewall feature on the Cisco VPN Client 3.6?

3. Is split tunneling unadvisable for remote vpn clients?

Thanks in advance,


Cisco Employee

Re: VPN client configuration

You can certainly do a site-to-site and remote VPN on each PIX, that shouldn't be a problem.

It's a bit unclear as to how you're trying to connect to the central site apps when your VPN'd into the remote site. If you're trying to VPN in to the remote PIX, then go over the site-to-site tunnel to the central site, then this is not going to work. The PIX won't route a packet back out the same interface it came in on.

If however, you're trying to VPN into the remote PIX, then go through the internal network behind this PIX to route through to your central site, then this should be OK and you probably have a routing problem.

Make sure your IP address pools on each PIX are different, so if someone comes inot the remote PIX they get a different address allocated to them. Then you need to set up the routing on your internal network so that packets for this pool of addresses are routed back to the remote PIX. Only then will you be able to ping internal hosts.

New Member

Re: VPN client configuration

Thank you. I am doing VPN into the remote PIX and then trying to connect to the central site through the internal, site-to-site network behind the PIX. I have been looking at the site-to-site router configs trying to identify the routing problem. I am sure I will eventually find it. The IP address pools are different for each site's remote VPN clients.

Do you happen to know the status of PIX OS 6.3? I need Transparent Tunneling support for other remote offices that are behind Firewalls and need remote VPN connectivity. I tried it today and could not get more than one client connected at a time.



Cisco Employee

Re: VPN client configuration

Sorry, forgot to answer your other questions.

2. This is supported only with connections to the VPN3000 concentrator, at least the ability to push down firewall configurations to the client. The VPn client does have an inbuilt firewall that will stop all incoming connections, you can have this "Always Active" if you like, so that even if the VPN client is not in use the firewall functionality of it is active.

3. Split tunnelling will allow acces to your PC while the VPN tunnel is up, so the theory is that if someone can gain access to that PC and take it over, then they have open access into your network. I can't tell you whether it's advisable or not, you have to come up with your own security policy that weighs up the pros and cons of allowing it. Some companies don't worry about it, others do worry about it, but in the end it's up to you.

CreatePlease to create content