1. Home
  2. Cisco Systems
  3. PIX 7.x VPN Client and site to site VPN's

PIX 7.x VPN Client and site to site VPN's

I read that version 7.x allows the PIX to route back over the same interface, unlike the previous versions. Am I understanding this correctly that with this feature I could now do this:

Site A: Central Office, PIX running 7.x Site B: Remote Office, PIX connected to Site A via site to site VPN Client PC: connects to Site A from home internet connection via Cisco VPN client

Would the client PC be able to establish a VPN connection to Site A, and actually be able to traverse over to Site B, all while Sites A and B have a site to site VPN running? If yes, does the PIX version/model matter at Site B(i.e. could a 501 handle this scenario if it was in place at Site B)?

Reply to
gkurcon
Loading thread data ...

You can with split-tunneling -- which I'm pretty sure is available in

6.X(X) as well. Just make sure to include site B's IP space in your config so that packets destined for its network get sent through the IPsec tunnel instead of out your default gateway.

In fact, it doesn't even matter what's on the other end of the site-to-site tunnel so long as hosts at site A can reach hosts at site B. For example, we have a PIX to SonicWall tunnel to one of our remote offices. I can connect to the PIX (site A) with the Cisco VPN client (PC) then access hosts on the other side of the SonicWall (site B).

-Gary

Reply to
Gary

Thanks for the reply. Can you give an example of the commands that would need to be added to the 506E's config in order to get this to work? Thanks.

Gary wrote:

Reply to
gkurcon

Here is what I have in my config regarding split-tunneling:

ip address inside 192.168.1.1

access-list ctvpn_splitTunnelAcl permit ip 192.168.1.0 255.255.255.0 any

vpngroup ctvpn address-pool ciscovpn vpngroup ctvpn dns-server 192.168.1.5 192.168.1.11 vpngroup ctvpn split-tunnel ctvpn_splitTunnelAcl vpngroup ctvpn split-dns domain.local vpngroup ctvpn idle-time 7200 vpngroup ctvpn max-time 7200 vpngroup ctvpn user-idle-timeout 600

The address pool ciscovpn is: 172.16.1.1-20

What would I need to add in order to enable the vpn pool (172.16.1.0) to see the remote networks of 192.168.2.0 (users behind the PIX can see the remotes fine via site to site)?

Thanks.

snipped-for-privacy@gmail.com wrote:

Reply to
gkurcon

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.