PIX 501 <-> Concentrator remote client question

I'm new to the world of PIX. I am learning quickly though, I think.

Anyway I purchased a 501 and what I would like to do; I believe it is possible is the following.

Configure an IPSEC tunnel from my PIX to the office where I work. I do not have admin rights to the equipment at work but I believe I have the buy-in from the network administrator if I can come up with the configuration.

At the office we have a Cisco VPN Conentrator that all of the existing vpn tunnels terminate against (software vpn clients, 501 vpnclients, etc).

Is it possible to configure up my 501 at home so that only 1 IP address NATed inside my network would traverse the IPSEC tunnel to the office, and the relevant data to return through the tunnel. I don't have a problem with other traffic coming through the tunnel to my house; but the only traffic that "should" be coming through the tunnel should be reply traffic.

Any other data from my house would not go through the tunnel, but go out the standard interface.

I know we have another user who has a 501 at his house; however he is using the easyvpn client which causes all of his traffic to go through the tunnel, this causes the traffic not bound for the office to "double-dip" off of the office internet connection and I don't want to do that, especially since my wife works from home. I would not want all of her traffic to traverse the tunnel to my office to get out to the internet (as I'm sure the network admin).

So the million dollar question is, is this possible, or am I asking for too much.

In addition to the VPN concentrator at the office we have mostly cisco hardware (routers, PIXes, swithes, etc...), so if its not possible to terminate against the concentrator, could I terminate against another device?

If it is possible, could I trouble you all for some help putting together the commands to make it work on the PIX and the concentrator?

From what I've read I believe I could get the PIX commands, but I

don't have any idea about the concentrator.

Cheers, And Thanks for the help,


Reply to
Loading thread data ...

Take a look at Cisco doc "Configuring the VPN Hardware Client on PIX

501/506 Version 6.2 for Use With a VPN 3000 Concentrator"

formatting link

Reply to

That is a great reference but if I read it correctly it would tunnel all of my traffic from home to work and then out to the internet.

Heres the best I can do at ASCII art:


( PC1 --\\ >---- PIX --- ( Internet ) --- WORK CONCENTRATOR ( PC2 --/

What I'm looking for is the PIX to establish a connection to the Concentrator and then only forward traffic from through the tunnel, and then only when the traffic is bound for the work IP range (A class B IP Range).

Reply to

What you are looking for is called a split-tunnel VPN. Only traffic that needs to be encrypted is encrypted and tunneled into your office. The policy for an EasyVPN split-tunnel would have to be defined by your admin at the VPN Concentrator. It could be enabled for all EasyVPN clients, or your admin could create a new vpngroup just for you.

Using split-tunnel vpns for clients is a security risk however; probably why your admin has it turned off.

Reply to
Mark Williams

you could also configure the PIX VPN pass-thru amd just use the VPN client on your PC.

formatting link

Reply to

I already have this successfully working.

The main reason for this request is that

1) I work from home occasionally 2) My work VPN client does not allow local traffic (i.e. I would like to be able to use local network printers & local file servers on this side of the tunnel). 3) I just wanted to tinker with the pix and learn a little along the way. 4) To access work email I either have to sign on to the web client (not that big of a deal) or sign on to the VPN to use the client on my laptop, thus forfeiting my local network access.

So the request is out of academic curiosity and convenience.

So if I understand correctly I'll need to convenes the Network Admin to change the security policy for the vpngroup to be able to have local access to my network while attached to the VPN?

Reply to

The default when you create a group on the Concentrator is that all remote traffic will go over the tunnel.

This can be modified, though, so that only traffic to(/from?) a specific set of networks will be encrypted, while the rest will exit the remote client unencrypted (thus accessing the Internet locally). As was said previously in the thread, this is called split tunneling. And it has nothing to do with the EasyVPN feature: EasyVPN *can* be used with split tunneling.

And yes, this modification needs be done on the Concentrator.



Reply to

You guys are a bit of track ...

What you need to do is not tunnelspilt ! What you need to do is allow the single IP your workstation has through the Lan2Lan tunnel to the headend This you do via the Match address statement in the crypto map. And you need to have the same configured in the VPN3000 at headend, otherwise it will drop. The config in your end and the headend MUST be 100% reversibled.

So if you can get your network admin, to setup a Lan-to-Lan tunnel on the VPN3000 - No problems !

HTH Martin Bilgrav

Reply to
Martin Bilgrav

Yes, it -is- possible.

It just takes a little 'routing smarts' on the home network. _and_ a path to the public Internet that bypasses the PIX.


pc1 -----+ +----dumb router --- | | | hub | | | | pc2 -----+ +--pix----+

Now, on the PC's, you a) set a default route to the hub-facing side of the 'dumb router'. b) set a static route for the office network to the hub-facing side of the PIX.

It's actually a little easier with a 4-port router, then you:

pc1 -----+ +----dumb router--- | | | | hub | | | | | pc2 -----+ +-pix-+

and the PC's need only the 'standard' default route to the router. while the router has:

route to local network on PORT A route to 'inside' of PIX on port B route to 'outside' of PIX on port C default route on PORT D

If you don't have multiple static IP addresses available, then the dumb router needs to be able to do NAT -- in/out on port D, with _static_ bi-directional NAT for the ports the PIX uses.

It's even possible to set this mess up where the PIX is 'managed' exclusively from the corporate head-end -- accessible only via the VPN tunnel, and not from the local lan, nor the public Internet.

Reply to
Robert Bonomi

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.