PIX 7.x VPN Client and site to site VPN's

I read that version 7.x allows the PIX to route back over the same interface, unlike the previous versions. Am I understanding this correctly that with this feature I could now do this:

Site A: Central Office, PIX running 7.x Site B: Remote Office, PIX connected to Site A via site to site VPN Client PC: connects to Site A from home internet connection via Cisco VPN client

Would the client PC be able to establish a VPN connection to Site A, and actually be able to traverse over to Site B, all while Sites A and B have a site to site VPN running? If yes, does the PIX version/model matter at Site B(i.e. could a 501 handle this scenario if it was in place at Site B)?

Reply to
Loading thread data ...

You can with split-tunneling -- which I'm pretty sure is available in

6.X(X) as well. Just make sure to include site B's IP space in your config so that packets destined for its network get sent through the IPsec tunnel instead of out your default gateway.

In fact, it doesn't even matter what's on the other end of the site-to-site tunnel so long as hosts at site A can reach hosts at site B. For example, we have a PIX to SonicWall tunnel to one of our remote offices. I can connect to the PIX (site A) with the Cisco VPN client (PC) then access hosts on the other side of the SonicWall (site B).


Reply to

Thanks for the reply. Can you give an example of the commands that would need to be added to the 506E's config in order to get this to work? Thanks.

Gary wrote:

Reply to

Here is what I have in my config regarding split-tunneling:

ip address inside

access-list ctvpn_splitTunnelAcl permit ip any

vpngroup ctvpn address-pool ciscovpn vpngroup ctvpn dns-server vpngroup ctvpn split-tunnel ctvpn_splitTunnelAcl vpngroup ctvpn split-dns domain.local vpngroup ctvpn idle-time 7200 vpngroup ctvpn max-time 7200 vpngroup ctvpn user-idle-timeout 600

The address pool ciscovpn is:

What would I need to add in order to enable the vpn pool ( to see the remote networks of (users behind the PIX can see the remotes fine via site to site)?


snipped-for-privacy@gmail.com wrote:

Reply to

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.