site-to-site VPN router to PIX VPN

Discussion in 'Cisco' started by tical, May 27, 2004.

  1. tical

    tical Guest

    I have a site-to-site router to PIX VPN; all traffic sent from the
    remote site comes to the home office site with the PIX. Can you exempt
    certain traffic from coming back to the home office, and instead go
    direct to the internet? Any cisco.com links?

    thanks

    FrishacK
     
    tical, May 27, 2004
    #1
    1. Advertisements

  2. :I have a site-to-site router to PIX VPN; all traffic sent from the
    :remote site comes to the home office site with the PIX. Can you exempt
    :certain traffic from coming back to the home office, and instead go
    :direct to the internet?

    Yes.

    If your remote sites are PIXes or IOS boxes, then the traffic that should
    go directly should not be matched by the ACL named in your
    "crypto map match address" statement. Something similar should be possible
    if your remote sites are using Cisco VPN Concentrator 3002 models.

    If your remote sites are using the Cisco VPN software client and you
    have your home office site configured with 'vpngroup' then use
    the split-tunnel statement for vpngroup. The ACL named in the
    split-tunnel statement should be written from the point of view
    of traffic going *out* of the PIX towards the client, and the traffic
    that *should* go through the tunnel is what should be 'permit'd.
    Anything not permit'd will go directly to the internet. (Note: the
    VPN client configuration will need one box checked in order to expect
    split tunnels.)
     
    Walter Roberson, May 27, 2004
    #2
    1. Advertisements

  3. |In article <>,
    |:I have a site-to-site router to PIX VPN; all traffic sent from the
    |:remote site comes to the home office site with the PIX. Can you exempt
    |:certain traffic from coming back to the home office, and instead go
    |:direct to the internet?

    |Yes.

    By the way: if the remote sites are coming in via PPTP, then the
    answer is NO: there is no split-tunnel facility for PPTP.


    ps: next time please be specific about how you have the remote devices
    configured, so that we do not have to waste our time enumerating all
    the possible answers.
     
    Walter Roberson, May 27, 2004
    #3
  4. tical

    tical Guest

    Thanks for the info walter, sorry the vagueness

    -FrishacK-
     
    tical, May 27, 2004
    #4
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.