PIX site-to-site VPN with VPN client connections

mmorris74 · ‎08-04-2005

Hello,

We are having a terrible time having a site-to-site VPN co-exist on a PIX firewall terminating VPN client connections.

The site-to-site VPN can be initiated from the other, but not from our end

Would anyone have a sample configuration or know of a sample configuration on cisco.com which shows both a site-to-site VPN co-existig with the configuration for terminating VPN clients

Thank-you Mark

jmia · ‎08-04-2005

Mark,

Read the following docs, if you are still having problems then let me know:

PIX and VPN Client setup:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009442e.shtml

PIX site-to-Site IPSec VPN:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094761.shtml

Hope this helps,

Jay

mmorris74 · ‎08-07-2005

Hello Jay,

It seems we have determined what this issue was. When a PIX firewall terminates both VPN client connections and site-to-site VPNs, you cannot use a singe access-list to both define what traffic is exempt from NAT (nat 0 access-list xxx) and what traffic is to be encrypted, and that the ordering of the definitions within the crypto map also plays a part.

Essentially what ends up happening is traffic destined for VPN clients, the PIX will attempt to senf via the site-to-site VPN.

Please refer to the following document for a more detailed explanation

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a008009448c.shtml

Regards

Mark