Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
304
Views
0
Helpful
3
Replies

VPN Client connectivity to site-to-site VPN

mmullen
Level 1
Level 1

‎07-15-2003 11:59 AM - edited ‎02-21-2020 12:40 PM

I currently have a PIX 515 firewall running 6.3(1) and set up for client VPN access using the Cisco VPN Client 3.64a. I will soon be creating a site-to-site VPN from the same PIX to a remote site. The software VPN clients will need to access the remote site. I have read numerous posts about the PIX not being able to route traffic back out the interface it came in on, does this apply in my situation?

Labels:
0 Helpful
3 Replies 3

gfullage
Cisco Employee
Cisco Employee

‎07-16-2003 09:35 PM

Sure does unfortunately. The PIX won't route traffic back out the same interface it came in on, this includes traffic coming in over one tunnel and going out another on the same interface.

The only way to do this is have your VPN clients connect directly to the remote VPN, change the PIX for a router or a VPN concentrator which both do allow this, or set up the PIX as shown here:

http://www.cisco.com/warp/public/110/client-pixhub.html

0 Helpful

mmullen
Level 1
Level 1
In response to gfullage

‎07-17-2003 05:35 AM

Unfortunately we're too far into the project now to swap out the PIX for a router or concentrator. In the config example you sent, it shows the DMZ interface intf2 on Rain connected to a second Ethernet address on the router Carrion. Is this a necessity for this config to work? Would it work if I give both the outside and dmz public IP addresses, apply the site-to-site crypto map to the dmz and the crypto map for the VPN clients to the outside?

0 Helpful

gfullage
Cisco Employee
Cisco Employee
In response to mmullen

‎07-17-2003 03:34 PM

The trouble here is that the two separate interfaces on the PIX have to be in separate subnets, so how does this then map over to one interface on the router. I guess you could do this and give the PIX interfaces a more specific subnet mask than the one on the router interface to try and fool it. What's probably better, if you only have one router interface to work with, is define the two subnets as shown in the sample config on the PIX, and then define the two corresponding IP addresses on the one router interface. For example, changing the sample config that I showed you, instead of:

interface Ethernet5/1

ip address 193.0.0.2 255.255.255.252

!

interface Ethernet5/2

ip address 193.0.0.6 255.255.255.252

you'd change this to:

interface Ethernet5/1

ip address 193.0.0.2 255.255.255.252

ip address 193.0.0.6 255.255.255.252 secondary

That should work fine, although must admit I haven't tested it.

Just make sure in this setup you have the VPn clients connect to the outside interface, and the L2L tunnel connects to the DMZ interface, cause you don't know what the IP address of the clients are going to be and your default route points out the outside interface. You can add a specific static route for the L2L peer that points out the DMZ interface.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents