Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cisco VPN clients being able to access already setup tunnels

Hi everybody,

I have a central site with one 506E Pix and 5 remote sites connected using 501E Pix (IpSec Tunnels). Now I have to permit VPN clients to connect to the central site (no problem for this) but also they have to be able to access the remote sites, at least one of them.

For what I know, this can't be done using a 506E Pix but my question is... If got a 515E Pix with three interfaces could this be solved?

I would appreciate you answered me or suggested any other solution for the problem.

Thank you all in advanced!


Re: Cisco VPN clients being able to access already setup tunnels

There is a cisco example config for a workaround, but it seems very hackish - basically, you would have a second interface effectively act as a secondary outside interface for certain tunnels to connect to.

New Member

Re: Cisco VPN clients being able to access already setup tunnels

Just double check if this applies to your PIX, I think it does as it is part of the software:

Use the vpngroup split-tunnel command to enable split tunneling on the PIX Firewall. Split tunneling allows a remote VPN client simultaneous encrypted access to the corporate network and clear access to the Internet. Using the vpngroup split-tunnel command, specify the access-list name to which to associate the split tunnelling of traffic. With split tunnelling enabled, the PIX Firewall downloads its local network IP address and netmask specified within the associated access-list to the VPN Client as part of the policy push to the client. In turn, the VPN Client sends the traffic destined to the specified local PIX Firewall network via an IPSec tunnel and all other traffic in the clear. The PIX Firewall receives the IPSec-protected packet on its outside interface, decrypts it, and then sends it to its specified local network.

Also search for "split tunnel" on PIX.

Good luck.


Re: Cisco VPN clients being able to access already setup tunnels

there are 2 workarounds:

1. setup a server at central site that can be used to access remote sites; mobile user vpn into the central site and rdp into the server, then the user may access whatever needed on the remote sites via the server

2. setup the 501 pix for mobile user as well. the negative is that user can't access both central and remote sites at the same time; as user can't have 2 vpn tunnels at any given time.

in case you don't like the workarounds, 515e with three interfaces will work. one thing has to be noticed is that the third interface needs a public ip.

CreatePlease login to create content