Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
646
Views
0
Helpful
3
Replies

Cisco VPN clients being able to access already setup tunnels

pression2
Level 1
Level 1

‎02-06-2004 01:01 AM

Hi everybody,

I have a central site with one 506E Pix and 5 remote sites connected using 501E Pix (IpSec Tunnels). Now I have to permit VPN clients to connect to the central site (no problem for this) but also they have to be able to access the remote sites, at least one of them.

For what I know, this can't be done using a 506E Pix but my question is... If got a 515E Pix with three interfaces could this be solved?

I would appreciate you answered me or suggested any other solution for the problem.

Thank you all in advanced!

Labels:
0 Helpful
3 Replies 3

mostiguy
Level 6
Level 6

‎02-06-2004 07:42 AM

There is a cisco example config for a workaround, but it seems very hackish - basically, you would have a second interface effectively act as a secondary outside interface for certain tunnels to connect to.

0 Helpful

rodoljubt
Level 1
Level 1

‎02-06-2004 01:23 PM

Just double check if this applies to your PIX, I think it does as it is part of the software:

Use the vpngroup split-tunnel command to enable split tunneling on the PIX Firewall. Split tunneling allows a remote VPN client simultaneous encrypted access to the corporate network and clear access to the Internet. Using the vpngroup split-tunnel command, specify the access-list name to which to associate the split tunnelling of traffic. With split tunnelling enabled, the PIX Firewall downloads its local network IP address and netmask specified within the associated access-list to the VPN Client as part of the policy push to the client. In turn, the VPN Client sends the traffic destined to the specified local PIX Firewall network via an IPSec tunnel and all other traffic in the clear. The PIX Firewall receives the IPSec-protected packet on its outside interface, decrypts it, and then sends it to its specified local network.

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a0080172787.html#41758

Also search Cisco.com for "split tunnel" on PIX.

Good luck.

0 Helpful

jackko
Level 7
Level 7

‎02-08-2004 09:04 PM

there are 2 workarounds:

1. setup a server at central site that can be used to access remote sites; mobile user vpn into the central site and rdp into the server, then the user may access whatever needed on the remote sites via the server

2. setup the 501 pix for mobile user as well. the negative is that user can't access both central and remote sites at the same time; as user can't have 2 vpn tunnels at any given time.

in case you don't like the workarounds, 515e with three interfaces will work. one thing has to be noticed is that the third interface needs a public ip.

0 Helpful
Customers Also Viewed These Support Documents