VPN Question on a PIX515E

Discussion in 'Cisco' started by K, Feb 23, 2005.

  1. K

    K Guest

    This question isn't necessarily Cisco specific, but because my PIX will be
    in charge of the VPN I will post here.

    I have two LANs on different sites and use a PIX 515E at each site to form a
    WAN over always-up VPN.

    I want to add some client machines to one of the LANs so they can VPN in. I
    DO NOT want these clients on my servers and ideally don't want them on my
    internal IP range.

    If I put a 2nd NIC in each of these extra PCs (as they would already have
    one for their own LAN connection to a LAN I would not control) and give it
    an IP not on my range (effectively a 3rd LAN) can my PIX allow VPN to my own
    network and this new 'virtual' network?
     
    K, Feb 23, 2005
    #1
    1. Advertising

  2. In article <421c6f19$0$67640$>,
    K <@.> wrote:
    :I have two LANs on different sites and use a PIX 515E at each site to form a
    :WAN over always-up VPN.

    :I want to add some client machines to one of the LANs so they can VPN in. I
    :DO NOT want these clients on my servers and ideally don't want them on my
    :internal IP range.

    :If I put a 2nd NIC in each of these extra PCs (as they would already have
    :eek:ne for their own LAN connection to a LAN I would not control) and give it
    :an IP not on my range (effectively a 3rd LAN) can my PIX allow VPN to my own
    :network and this new 'virtual' network?

    Yes, but you have the usual routing problems. You have to put a "route"
    statement in pointing the new IP range towards the correct interface,
    and you have to find some way for those extra PCs to be able to contact
    the single fixed inside IP of the PIX. But of course if the PCs can do that,
    they can also contact other local machines.

    If you do not have 802.1Q aware switches then the easiest way to handle
    this is to add another interface to the 515E (the restricted license
    will handle 3 physical interfaces.) If you have 802.1Q aware switches
    then you can handle it by creating a new "logical" interface on the inside;
    "logical" interfaces get traffic that is 802.1Q tagged. You do not need
    to reconfigure your present inside interface when you do this: 802.1Q
    specifies that no tag is transmitted for the "native" vlan, so all you need
    to do is configure the switch port as a trunk, add vlan 1 and the new vlan
    to the trunk, and configure up the appropriate logical interface.
    --
    The image data is transmitted back to Earth at the speed of light
    and usually at 12 bits per pixel.
     
    Walter Roberson, Feb 23, 2005
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Matt
    Replies:
    2
    Views:
    2,183
    Mark Green
    Apr 15, 2004
  2. Benson
    Replies:
    3
    Views:
    664
    Walter Roberson
    Oct 21, 2004
  3. Benson
    Replies:
    3
    Views:
    611
    Walter Roberson
    Apr 23, 2005
  4. gigi

    Cisco PIX515E and VPN

    gigi, Jun 25, 2005, in forum: Cisco
    Replies:
    2
    Views:
    982
  5. Replies:
    0
    Views:
    624
Loading...

Share This Page