[c-nsp] Question about Cisco PIX VPN

Andrew Yourtchenko ayourtch at cisco.com
Wed Jul 1 05:12:31 EDT 2009 

Hi Jared,

On Tue, 30 Jun 2009, Jared Gillis wrote:

> Hi all,
>
> I'm configuring a PIX 501 running v6.3.5 code to terminate VPN connections from
> remote users. I've got the config intact, but need to learn how the PIX handles
> these connections internally.
> Here's the relevant config:
>
> access-list nonatvpn permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0
> ip pool vpnswclient 192.168.1.2-192.168.1.254
> nat (inside) 0 access-list nonatvpn
>
> and I've got vpngroups defined per-user to pull from the vpnswclient pool and
> split-tunnel based on the nonatvpn acl.
>
> So my "inside" network is 192.168.0.0/24, and the vpnclients will get addressed
> into 192.168.1.0/24 (correct?), and there will be no NAT on communication
> between them. My question is, are my vpn clients in the same broadcast domain as

nope, they are not. Also, unless you have "sysopt connection permit-ipsec" 
you will need to explicitly allow their traffic into the inside.

> my "inside" interface, or will they be required to unicast to 192.168.0.x
> addresses? Is there a way to influence how they can communicate?

They'll talk unicast, as two different subnets. You can think as if the 
192.168.1.x subnet is something  hanging off the outside interface.
BTW, that's the reason why no internet communication via VPN without split 
tunneling was possible till the "same-security permit intra-interface" - 
because in that case you arrive from "outside" and need to go back to "outside".


cheers,
andrew

>
> I've been looking all over Cisco's website and can find plenty of configuration
> examples, but nothing explaining how communication between the inside and vpn
> clients is handled.
>
> -- 
> Jared Gillis - jared at corp.sonic.net       Sonic.net, Inc.
> Network Operations                        2260 Apollo Way
> 707.522.1000 (Voice)                      Santa Rosa, CA 95407
> 707.547.3400 (Support)                    http://www.sonic.net/
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

More information about the cisco-nsp mailing list