08-04-2005 06:29 PM
Hello,
We are having a terrible time having a site-to-site VPN co-exist on a PIX firewall terminating VPN client connections.
The site-to-site VPN can be initiated from the other, but not from our end
Would anyone have a sample configuration or know of a sample configuration on cisco.com which shows both a site-to-site VPN co-existig with the configuration for terminating VPN clients
Thank-you Mark
08-04-2005 11:28 PM
Mark,
Read the following docs, if you are still having problems then let me know:
PIX and VPN Client setup:
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009442e.shtml
PIX site-to-Site IPSec VPN:
Hope this helps,
Jay
08-07-2005 04:29 PM
Hello Jay,
It seems we have determined what this issue was. When a PIX firewall terminates both VPN client connections and site-to-site VPNs, you cannot use a singe access-list to both define what traffic is exempt from NAT (nat 0 access-list xxx) and what traffic is to be encrypted, and that the ordering of the definitions within the crypto map also plays a part.
Essentially what ends up happening is traffic destined for VPN clients, the PIX will attempt to senf via the site-to-site VPN.
Please refer to the following document for a more detailed explanation
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a008009448c.shtml
Regards
Mark
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide