In all of the sample configs I have seen, the pool of address' used to give to the VPN clients are from a different subnet than the local one (inside). Is there a reason to, or not to, use address from the local inside subnet?
I have a PIX 515 with VPNs to multiple PIX 506s in a hub and spoke format as well as some VPN clients. I am using Certificates for the PIX-PIX VPNs and Certs with XAUTH for the clients. All seems to work fine. I have noticed that when I add a remo...
Split tunneling allows you to have internet access while you are connected to the VPN. If you don't allow it you should have what you are asking for I believe.
I agree. Right now everything is defined as interesting so the VPN client will encrypt all traffic. If you are more specific the client will be able to identify what NOT to encrypt.
You can change these defaults if you like but this is from Symantec's site:The pcAnywhere use of IP ports changes with the version of pcAnywhere used. Earlier versions used ports 22 (UDP) and 65301 (TCP). These ports were not registered. Beginning wi...
Both of the posted solutions are good, but if the vendor was going to do this on a prolonged or regular basis, and since your IOS supports it, I would recommend a VPN solution. You can restrict what he is allowed to do and encrypt the traffic.
