Cisco VPN Client

Discussion in 'Cisco' started by Daniel Bourque, Jan 19, 2005.

  1. Environment: Corporate internal network with 2 diffferent PIX 535 cluster
    protecting 2 different mainframes cluster in 2 well connected sites (1 Gbps)
    Problem: Some users need to access both clusters at the same time using an
    encrypted connection
    Restriction: Need to be able to use downloadable ACL using Cisco ACS, base
    on each user security profile, not on the workstation of origine.

    Question:
    Is it possible with the Cisco VPN client to connect to 2 different PIX (we
    need to allow split tunneling so other local apps still work)?
    Is there another VPN client that can do that?
    Other solutions to access 2 different PIX environnment?


    Thank you.

    Daniel Bourque
     
    Daniel Bourque, Jan 19, 2005
    #1
    1. Advertising

  2. Daniel Bourque

    BadCzech Guest

    "Daniel Bourque" <> wrote in
    news:6fBHd.34034$:

    > Question:
    > Is it possible with the Cisco VPN client to connect to 2 different PIX
    > (we need to allow split tunneling so other local apps still work)?
    > Is there another VPN client that can do that?
    > Other solutions to access 2 different PIX environnment?


    I believe that this is possible. We have ours (4.0 version) connection to
    one Pix and a VPN Concentrator. I hope Im understanding correctly, but
    can't you just have 2 separate .pcf connection files; each one pointing to
    a separate pix? For instance, we deploy 2 .pcf files; one for the primary
    (concentrator) and one using the pix as a backup.

    Hope this helps...

    Cz
     
    BadCzech, Jan 21, 2005
    #2
    1. Advertising

  3. Daniel Bourque

    PES Guest

    BadCzech wrote:
    > "Daniel Bourque" <> wrote in
    > news:6fBHd.34034$:
    >
    >
    >>Question:
    >>Is it possible with the Cisco VPN client to connect to 2 different PIX
    >>(we need to allow split tunneling so other local apps still work)?
    >>Is there another VPN client that can do that?
    >>Other solutions to access 2 different PIX environnment?

    >
    >
    > I believe that this is possible. We have ours (4.0 version) connection to
    > one Pix and a VPN Concentrator. I hope Im understanding correctly, but
    > can't you just have 2 separate .pcf connection files; each one pointing to
    > a separate pix? For instance, we deploy 2 .pcf files; one for the primary
    > (concentrator) and one using the pix as a backup.
    >
    > Hope this helps...
    >
    > Cz


    I may be reading too much into his question, but I am assuming he wants
    to do this simultaneously. As far as I know the answer is no. However,
    he could go a bit more complex and peer the clients only with the
    concentrator. Then build a tunnel between the concentrator and the pix.
    This will work, I've seen it first hand.

    --
    -------------------------
    Paul Stewart
    Lexnet Inc.
    Email address is in ROT13
     
    PES, Jan 22, 2005
    #3
  4. We can connect to both PIX but one at a time, not to both at the same time.

    One solution we have found is to build a tunnel between the 2 pix group and
    route between them

    A client can connect to either one of the pix group and access the 2
    protected segments. We have found a Cisco article showing how to do that.


    "BadCzech" <> a écrit dans le message de
    news:...
    > "Daniel Bourque" <> wrote in
    > news:6fBHd.34034$:
    >
    > > Question:
    > > Is it possible with the Cisco VPN client to connect to 2 different PIX
    > > (we need to allow split tunneling so other local apps still work)?
    > > Is there another VPN client that can do that?
    > > Other solutions to access 2 different PIX environnment?

    >
    > I believe that this is possible. We have ours (4.0 version) connection to
    > one Pix and a VPN Concentrator. I hope Im understanding correctly, but
    > can't you just have 2 separate .pcf connection files; each one pointing to
    > a separate pix? For instance, we deploy 2 .pcf files; one for the primary
    > (concentrator) and one using the pix as a backup.
    >
    > Hope this helps...
    >
    > Cz
     
    Daniel Bourque, Jan 26, 2005
    #4
  5. Yes, we need to access servers behind both pix group simultaneously. One
    way we found was to build a tunnel between the 2 pix group and route
    requests from one site to the other.

    Another one we are investigation is to front the 2 pix group with 2 VPN
    concentrator. Now, the client can connect to either of the 2 VPN
    concentrator, have it personnal ACL download from a Cisco ACS and access
    servers on both sites. The VPN concentrator would mount permanent
    connections to bothe Pix group

    This solution could be extend since we have some servers isolated behind
    small Pix 501/515 on different network segments where we need to control
    access base on the IP of the accessing workstations. Using the VPN
    concentraor combine with the ACS would allow us to control per USER-ID
    instead of per IP.



    "PES" <> a écrit dans le message de
    news:41f2886a$...
    > BadCzech wrote:
    > > "Daniel Bourque" <> wrote in
    > > news:6fBHd.34034$:
    > >
    > >
    > >>Question:
    > >>Is it possible with the Cisco VPN client to connect to 2 different PIX
    > >>(we need to allow split tunneling so other local apps still work)?
    > >>Is there another VPN client that can do that?
    > >>Other solutions to access 2 different PIX environnment?

    > >
    > >
    > > I believe that this is possible. We have ours (4.0 version) connection

    to
    > > one Pix and a VPN Concentrator. I hope Im understanding correctly, but
    > > can't you just have 2 separate .pcf connection files; each one pointing

    to
    > > a separate pix? For instance, we deploy 2 .pcf files; one for the

    primary
    > > (concentrator) and one using the pix as a backup.
    > >
    > > Hope this helps...
    > >
    > > Cz

    >
    > I may be reading too much into his question, but I am assuming he wants
    > to do this simultaneously. As far as I know the answer is no. However,
    > he could go a bit more complex and peer the clients only with the
    > concentrator. Then build a tunnel between the concentrator and the pix.
    > This will work, I've seen it first hand.
    >
    > --
    > -------------------------
    > Paul Stewart
    > Lexnet Inc.
    > Email address is in ROT13
     
    Daniel Bourque, Jan 26, 2005
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. MP
    Replies:
    2
    Views:
    12,418
  2. jarcar
    Replies:
    0
    Views:
    673
    jarcar
    Feb 12, 2004
  3. Nick
    Replies:
    2
    Views:
    2,487
  4. D K
    Replies:
    4
    Views:
    511
  5. Ned
    Replies:
    0
    Views:
    597
Loading...

Share This Page