Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
228
Views
0
Helpful
2
Replies

VPN Client Passing Through Hub to Spoke

Earthport
Level 1
Level 1

‎03-17-2003 01:57 PM - edited ‎02-21-2020 12:25 PM

HI,

I need to configure a clients PIX 515UR (6.2.2) to allow a remote VPN client (using the Cisco Client) to connect to the Hub PIX and then pass through the Site-to-SIte VPN tunnel to the Spoke.

I believe that I need to terminate the VPN Client on a second interface instead of the interface that the Site-To-Site VPN uses but they only have one Class C address and they are insisting on using the /24 mark on the outside interface.

Am I correct in thinking the I require a second interface to have a Public Address to achieve this?

Regards

Tony

Labels:
0 Helpful
2 Replies 2

afakhan
Level 4
Level 4

‎03-17-2003 02:53 PM

Hi,

you are right, reason being pix doesn't support on-stick configuration, bcoz of ASA (Adaptive security alg).

Thanks,

Afaq

0 Helpful

jeff.roback
Level 1
Level 1

‎03-17-2003 03:36 PM

The basic rule of thumb for the pix is that packets can never enter and leave the Pix via thesame interface. So under normal conditions, traffic from a VPN client can't enter via the outside interface, and then leave again to reach another VPN site terminating on the PIX's outside interface.

There's a tech note giving an interesting example of how to get around this by terminating VPN tunnels at different interfaces at http://www.cisco.com/en/US/partner/tech/tk583/tk372/technologies_configuration_example09186a0080103ed0.shtml

This might get a lot simpler with Pix 6.3 by assigning the Pix outside interface different addresses and VLAN tunneling. But that's just a thought, haven't tried it yet!

0 Helpful
Customers Also Viewed These Support Documents