Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

VPN Client Passing Through Hub to Spoke

HI,

I need to configure a clients PIX 515UR (6.2.2) to allow a remote VPN client (using the Cisco Client) to connect to the Hub PIX and then pass through the Site-to-SIte VPN tunnel to the Spoke.

I believe that I need to terminate the VPN Client on a second interface instead of the interface that the Site-To-Site VPN uses but they only have one Class C address and they are insisting on using the /24 mark on the outside interface.

Am I correct in thinking the I require a second interface to have a Public Address to achieve this?

Regards

Tony

2 REPLIES
Bronze

Re: VPN Client Passing Through Hub to Spoke

Hi,

you are right, reason being pix doesn't support on-stick configuration, bcoz of ASA (Adaptive security alg).

Thanks,

Afaq

New Member

Re: VPN Client Passing Through Hub to Spoke

The basic rule of thumb for the pix is that packets can never enter and leave the Pix via thesame interface. So under normal conditions, traffic from a VPN client can't enter via the outside interface, and then leave again to reach another VPN site terminating on the PIX's outside interface.

There's a tech note giving an interesting example of how to get around this by terminating VPN tunnels at different interfaces at http://www.cisco.com/en/US/partner/tech/tk583/tk372/technologies_configuration_example09186a0080103ed0.shtml

This might get a lot simpler with Pix 6.3 by assigning the Pix outside interface different addresses and VLAN tunneling. But that's just a thought, haven't tried it yet!

88
Views
0
Helpful
2
Replies
CreatePlease to create content