03-17-2003 01:57 PM - edited 02-21-2020 12:25 PM
HI,
I need to configure a clients PIX 515UR (6.2.2) to allow a remote VPN client (using the Cisco Client) to connect to the Hub PIX and then pass through the Site-to-SIte VPN tunnel to the Spoke.
I believe that I need to terminate the VPN Client on a second interface instead of the interface that the Site-To-Site VPN uses but they only have one Class C address and they are insisting on using the /24 mark on the outside interface.
Am I correct in thinking the I require a second interface to have a Public Address to achieve this?
Regards
Tony
03-17-2003 02:53 PM
Hi,
you are right, reason being pix doesn't support on-stick configuration, bcoz of ASA (Adaptive security alg).
Thanks,
Afaq
03-17-2003 03:36 PM
The basic rule of thumb for the pix is that packets can never enter and leave the Pix via thesame interface. So under normal conditions, traffic from a VPN client can't enter via the outside interface, and then leave again to reach another VPN site terminating on the PIX's outside interface.
There's a tech note giving an interesting example of how to get around this by terminating VPN tunnels at different interfaces at http://www.cisco.com/en/US/partner/tech/tk583/tk372/technologies_configuration_example09186a0080103ed0.shtml
This might get a lot simpler with Pix 6.3 by assigning the Pix outside interface different addresses and VLAN tunneling. But that's just a thought, haven't tried it yet!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide