Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
430
Views
0
Helpful
3
Replies

VPN to PIX LAN Interface?

jerry.roy
Level 1
Level 1

‎03-29-2002 01:18 PM - edited ‎02-21-2020 11:39 AM

Hi All,

I want to know if anyone has been able to get a Cisco VPN Client to establish a Tunnel to a LAN interface of a PIX. Is it Possible?

I have some users who need to use the VPN (PIX to PIX) and some users do not. I want the users with the VPN client to be able to establish a tunnel to the PIX LAN interface and then traverse the tunnel on the PIX WAN interface to a remote PIX at the corporate location. The users without the VPN client will never traverse the tunnel (SPlit tunneling) and only go straight to the Internet)

Netscreen can do this, Can Cisco?

Labels:
0 Helpful
3 Replies 3

ROBERT WATSON
Level 1
Level 1

‎03-29-2002 01:30 PM

I think I understand what you are trying to do you only want a certain number of users in the office to use the Pix to Pix tunnel and the rest of the users to go straight to the Internet. Well you have a couple options

1 Define which users in your network via IP address you want to have access to your P to P tunnel and in your FW's and be done with it (those not defined will not use the tunnel) this way you do not need the VPN client. You can tweak your ACL's in your FW's to be very specific as to who gets tunneled and who does not. even what protocols you want tunneled.

2 forgo the pix to pix tunnel and have the users with the VPN Client to simply connect to the public interface of the remote FW more configuration and ts involved.

3 if users are using 2000 or XP there is a built in VPN service that will allow them to connect to the remote FW as well

0 Helpful

cjacinto
Cisco Employee
Cisco Employee

‎03-31-2002 02:29 PM

See the sample config below if this is similar to what you want to achieve.

http://www.cisco.com/warp/customer/110/client-pixhub.html

The PIX could accept ipsec traffic on one interface and forward the same traffic to another interface.

But it could not accept incoming ipsec traffic and forward it out the same interface.

0 Helpful

brad
Level 1
Level 1

‎04-01-2002 07:34 AM

Based on your description of a WAN to a remote PIX, the crypto map must be bound to the outside interface. However, this is a physical binding. The logical mapping can easily be to the inside interface. A VPN tunnel can act as a proxy between inside interfaces. Private addresses are not NATed (although can be) as they transverse the tunnel.

You would not use the VPN client in this situation, instead you would configure access-lists that restrict access to the tunnel.

Split tunneling is accomplished simply by defining what traffic to protect and what traffic to NAT.

I haven't worked with Netscreen, but the PIX can certainally do what you propose.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents