PIX 7.x VPN Client and site to site VPN's

Discussion in 'Cisco' started by gkurcon, Jun 9, 2006.

  1. gkurcon

    gkurcon Guest

    I read that version 7.x allows the PIX to route back over the same
    interface, unlike the previous versions. Am I understanding this
    correctly that with this feature I could now do this:

    Site A: Central Office, PIX running 7.x
    Site B: Remote Office, PIX connected to Site A via site to site VPN
    Client PC: connects to Site A from home internet connection via Cisco
    VPN client

    Would the client PC be able to establish a VPN connection to Site A,
    and actually be able to traverse over to Site B, all while Sites A and
    B have a site to site VPN running? If yes, does the PIX version/model
    matter at Site B(i.e. could a 501 handle this scenario if it was in
    place at Site B)?
    gkurcon, Jun 9, 2006
    1. Advertisements

  2. gkurcon

    Gary Guest

    You can with split-tunneling -- which I'm pretty sure is available in
    6.X(X) as well. Just make sure to include site B's IP space in your config
    so that packets destined for its network get sent through the IPsec tunnel
    instead of out your default gateway.
    In fact, it doesn't even matter what's on the other end of the
    site-to-site tunnel so long as hosts at site A can reach hosts at site B.
    For example, we have a PIX to SonicWall tunnel to one of our remote
    offices. I can connect to the PIX (site A) with the Cisco VPN client (PC)
    then access hosts on the other side of the SonicWall (site B).

    Gary, Jun 11, 2006
    1. Advertisements

  3. gkurcon

    gkurcon Guest

    Thanks for the reply. Can you give an example of the commands that
    would need to be added to the 506E's config in order to get this to
    work? Thanks.
    gkurcon, Jun 12, 2006
  4. gkurcon

    gkurcon Guest

    Here is what I have in my config regarding split-tunneling:

    ip address inside

    access-list ctvpn_splitTunnelAcl permit ip

    vpngroup ctvpn address-pool ciscovpn
    vpngroup ctvpn dns-server
    vpngroup ctvpn split-tunnel ctvpn_splitTunnelAcl
    vpngroup ctvpn split-dns domain.local
    vpngroup ctvpn idle-time 7200
    vpngroup ctvpn max-time 7200
    vpngroup ctvpn user-idle-timeout 600

    The address pool ciscovpn is:

    What would I need to add in order to enable the vpn pool (
    to see the remote networks of (users behind the PIX can see
    the remotes fine via site to site)?

    gkurcon, Jun 12, 2006
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.