Surfing the internet WHILST using a VPN connection (PIX 513)

Yes this should work. Can regular users inside this network browse the Internet? Check your ruleset...

There is no PIX 513.

There is a PIX 515, and a re-spun version of that called the PIX 515E. Both the 515 and 515E are able to run PIX 7.x. The desired behaviour is possible in PIX 7.x, but only in cases (such as this one) where at least one VPN is involved on the common interface.

In PIX 5 and 6.0 thru 6.2, the only way to do this involves using a seperate physical interface that is also connected to the ISP. This requires either a distinct IP address range or else that the public address range be subnetted (in which case a WAN router must also be involved.)

In PIX 6.3, the 515 and 515E gain the ability to add 802.1Q VLANs onto physical interfaces, and to treat the VLANs as logical interfaces. This would allow a setup similar to PIX 5 or 6.0/6.1/6.2, except without needing a seperate physical interface... provided that there is a WAN router and it handles 802.1Q VLAN trunking.

I don't have any experience with the Cisco VPN client, but most other vendors clients such as Netscreen's, allow you to surf the Internet locally using your ISP connection and send traffic over the VPN at the same time.

They do this by routing traffic for the corporate IP range into a virtual VPN Network Adpater and any other traffic to your Default Gateway.

As IPSEC is a standard these clients should work with Cisco devices too.

James

snipped-for-privacy@nati> Sorry yes I meant a PIX 515, not sure why I typed 513. Anyway I will

Thanks James. I think this is known as a split tunnel. I have considered this option but the only downside is the security aspect. You are basically bridging the internet and your corporate LAN.

James wrote: