We currently have a remote site connected over a site to site VPN to a PIX 515e at our head office. We also have a client to site VPN that also terminates at the same PIX on the same outside interface.
We are in the process of testing the Cisco IP communicator over a VPN. One of the remaining tasks is to assess whether it is feasible to connect to the remote site using the client to site vpn connection.
I'd be grateful for any guidance on if this possible with a 515e.
I hope this is enough info, I just want a theroretical yes or no for now.
Solved! Go to Solution.
Sure you can connect both a remote IPsec client and a Site-to-Site connection to the same PIX outside interface.
You need a static crypto map for the Site-to-Site and a dynamic crypto map for the client(s).
The dynamic crypto map is binded to the static map which in turn is associated to the outside interface.
Hope it helps.
If you want to communicate both VPNs, then the PIX must be running at least code 7.x to be able to u-turn the traffic.
You can configure the PIX to reroute the VPN traffic back out the same interface via the other tunnel.
If the PIX is running 6.x, another option is to configure the PIX to receive the VPN traffic on the outside interface, have the PIX route that traffic to an internal router which in turn sends the traffic back to the PIX out via the other tunnel (this because of the limitation of not being able to do u-turn).
So, recommendation is to have code 7.x or higher and configure u-turn.
Thanks again. Thats really useful. We are on software version 7.2 so i will take your advise and look at the u-turn option.
I've found this config example.
Is this what I should be following?