I want to know if anyone has been able to get a Cisco VPN Client to establish a Tunnel to a LAN interface of a PIX. Is it Possible?
I have some users who need to use the VPN (PIX to PIX) and some users do not. I want the users with the VPN client to be able to establish a tunnel to the PIX LAN interface and then traverse the tunnel on the PIX WAN interface to a remote PIX at the corporate location. The users without the VPN client will never traverse the tunnel (SPlit tunneling) and only go straight to the Internet)
I think I understand what you are trying to do you only want a certain number of users in the office to use the Pix to Pix tunnel and the rest of the users to go straight to the Internet. Well you have a couple options
1 Define which users in your network via IP address you want to have access to your P to P tunnel and in your FW's and be done with it (those not defined will not use the tunnel) this way you do not need the VPN client. You can tweak your ACL's in your FW's to be very specific as to who gets tunneled and who does not. even what protocols you want tunneled.
2 forgo the pix to pix tunnel and have the users with the VPN Client to simply connect to the public interface of the remote FW more configuration and ts involved.
3 if users are using 2000 or XP there is a built in VPN service that will allow them to connect to the remote FW as well
Based on your description of a WAN to a remote PIX, the crypto map must be bound to the outside interface. However, this is a physical binding. The logical mapping can easily be to the inside interface. A VPN tunnel can act as a proxy between inside interfaces. Private addresses are not NATed (although can be) as they transverse the tunnel.
You would not use the VPN client in this situation, instead you would configure access-lists that restrict access to the tunnel.
Split tunneling is accomplished simply by defining what traffic to protect and what traffic to NAT.
I haven't worked with Netscreen, but the PIX can certainally do what you propose.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...