Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Users might experience few discrepancies in Search results. We are working on this on our side. We apologize for the inconvenience it may have caused.
New Member

Tunnel remote users from ASA to PIX506E on WAN


I need to allow a 3rd party contractor to access systems at a site within our WAN (Frame Relay/MPLS). We have an ASA5520 at our internet gateway. At the remote site we have a PIX506E which isolates the local LAN from the subject sement that the contractor needs to access. Is it possible For the contractor to connect (via VPN client)authenticate through the ASA 5520 and then be tunneled directly to the isolated segment beyond the PIX506E? If not is there an SSL option?

Any help would be appreciated.


Re: Tunnel remote users from ASA to PIX506E on WAN

Hi yes and not .. if you use the ASA to terminate the remote connection then the traffic will be encrypted from the ASA to the contractor only. the traffic from the ASA to the subject segment will flow by your MPLS on clear text which it should be OK unless you really want to encrypt the traffic from within your MPLS as well. If that is the case then he will have to establish an SSL connection directly to those systems once he is on the VPN by suing https:\\... or soemthing like that.

New Member

Re: Tunnel remote users from ASA to PIX506E on WAN

I am concerned about the contractor being able to move about my internal network. I would like to tunnel him directly to the segment behind the PIX506E at the remote site. I would prefer that he not be able to access anything else on our internal network. Is this possible with IPSEC using the ASA and PIX506E?

New Member

Re: Tunnel remote users from ASA to PIX506E on WAN

try creating an access list to apply to the VPN client group(s)...

access-list acl123 extended permit ip

under your group-policy attributes:

split-tunnel-network-list value acl123

CreatePlease to create content