Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN to PIX LAN Interface?

Hi All,

I want to know if anyone has been able to get a Cisco VPN Client to establish a Tunnel to a LAN interface of a PIX. Is it Possible?

I have some users who need to use the VPN (PIX to PIX) and some users do not. I want the users with the VPN client to be able to establish a tunnel to the PIX LAN interface and then traverse the tunnel on the PIX WAN interface to a remote PIX at the corporate location. The users without the VPN client will never traverse the tunnel (SPlit tunneling) and only go straight to the Internet)

Netscreen can do this, Can Cisco?

New Member

Re: VPN to PIX LAN Interface?

I think I understand what you are trying to do you only want a certain number of users in the office to use the Pix to Pix tunnel and the rest of the users to go straight to the Internet. Well you have a couple options

1 Define which users in your network via IP address you want to have access to your P to P tunnel and in your FW's and be done with it (those not defined will not use the tunnel) this way you do not need the VPN client. You can tweak your ACL's in your FW's to be very specific as to who gets tunneled and who does not. even what protocols you want tunneled.

2 forgo the pix to pix tunnel and have the users with the VPN Client to simply connect to the public interface of the remote FW more configuration and ts involved.

3 if users are using 2000 or XP there is a built in VPN service that will allow them to connect to the remote FW as well

Cisco Employee

Re: VPN to PIX LAN Interface?

See the sample config below if this is similar to what you want to achieve.

The PIX could accept ipsec traffic on one interface and forward the same traffic to another interface.

But it could not accept incoming ipsec traffic and forward it out the same interface.

New Member

Re: VPN to PIX LAN Interface?

Based on your description of a WAN to a remote PIX, the crypto map must be bound to the outside interface. However, this is a physical binding. The logical mapping can easily be to the inside interface. A VPN tunnel can act as a proxy between inside interfaces. Private addresses are not NATed (although can be) as they transverse the tunnel.

You would not use the VPN client in this situation, instead you would configure access-lists that restrict access to the tunnel.

Split tunneling is accomplished simply by defining what traffic to protect and what traffic to NAT.

I haven't worked with Netscreen, but the PIX can certainally do what you propose.