03-29-2002 01:18 PM - edited 02-21-2020 11:39 AM
Hi All,
I want to know if anyone has been able to get a Cisco VPN Client to establish a Tunnel to a LAN interface of a PIX. Is it Possible?
I have some users who need to use the VPN (PIX to PIX) and some users do not. I want the users with the VPN client to be able to establish a tunnel to the PIX LAN interface and then traverse the tunnel on the PIX WAN interface to a remote PIX at the corporate location. The users without the VPN client will never traverse the tunnel (SPlit tunneling) and only go straight to the Internet)
Netscreen can do this, Can Cisco?
03-29-2002 01:30 PM
I think I understand what you are trying to do you only want a certain number of users in the office to use the Pix to Pix tunnel and the rest of the users to go straight to the Internet. Well you have a couple options
1 Define which users in your network via IP address you want to have access to your P to P tunnel and in your FW's and be done with it (those not defined will not use the tunnel) this way you do not need the VPN client. You can tweak your ACL's in your FW's to be very specific as to who gets tunneled and who does not. even what protocols you want tunneled.
2 forgo the pix to pix tunnel and have the users with the VPN Client to simply connect to the public interface of the remote FW more configuration and ts involved.
3 if users are using 2000 or XP there is a built in VPN service that will allow them to connect to the remote FW as well
03-31-2002 02:29 PM
See the sample config below if this is similar to what you want to achieve.
http://www.cisco.com/warp/customer/110/client-pixhub.html
The PIX could accept ipsec traffic on one interface and forward the same traffic to another interface.
But it could not accept incoming ipsec traffic and forward it out the same interface.
04-01-2002 07:34 AM
Based on your description of a WAN to a remote PIX, the crypto map must be bound to the outside interface. However, this is a physical binding. The logical mapping can easily be to the inside interface. A VPN tunnel can act as a proxy between inside interfaces. Private addresses are not NATed (although can be) as they transverse the tunnel.
You would not use the VPN client in this situation, instead you would configure access-lists that restrict access to the tunnel.
Split tunneling is accomplished simply by defining what traffic to protect and what traffic to NAT.
I haven't worked with Netscreen, but the PIX can certainally do what you propose.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide