«

This question isn't necessarily Cisco specific, but because my PIX will be
in charge of the VPN I will post here.

I have two LANs on different sites and use a PIX 515E at each site to form a
WAN over always-up VPN.

I want to add some client machines to one of the LANs so they can VPN in. I
DO NOT want these clients on my servers and ideally don't want them on my
internal IP range.

If I put a 2nd NIC in each of these extra PCs (as they would already have
one for their own LAN connection to a LAN I would not control) and give it
an IP not on my range (effectively a 3rd LAN) can my PIX allow VPN to my own
network and this new 'virtual' network?

In article <421c6f19$0$67640$>,
K <@.> wrote:
:I have two LANs on different sites and use a PIX 515E at each site to form a
:WAN over always-up VPN.

:I want to add some client machines to one of the LANs so they can VPN in. I
O NOT want these clients on my servers and ideally don't want them on my
:internal IP range.

:If I put a 2nd NIC in each of these extra PCs (as they would already have
ne for their own LAN connection to a LAN I would not control) and give it
:an IP not on my range (effectively a 3rd LAN) can my PIX allow VPN to my own
:network and this new 'virtual' network?

Yes, but you have the usual routing problems. You have to put a "route"
statement in pointing the new IP range towards the correct interface,
and you have to find some way for those extra PCs to be able to contact
the single fixed inside IP of the PIX. But of course if the PCs can do that,
they can also contact other local machines.

If you do not have 802.1Q aware switches then the easiest way to handle
this is to add another interface to the 515E (the restricted license
will handle 3 physical interfaces.) If you have 802.1Q aware switches
then you can handle it by creating a new "logical" interface on the inside;
"logical" interfaces get traffic that is 802.1Q tagged. You do not need
to reconfigure your present inside interface when you do this: 802.1Q
specifies that no tag is transmitted for the "native" vlan, so all you need
to do is configure the switch port as a trunk, add vlan 1 and the new vlan
to the trunk, and configure up the appropriate logical interface.
--
The image data is transmitted back to Earth at the speed of light
and usually at 12 bits per pixel.