[c-nsp] Question about Cisco PIX VPN
Jared Gillis
jared at corp.sonic.net
Tue Jun 30 19:56:44 EDT 2009
Hi all,
I'm configuring a PIX 501 running v6.3.5 code to terminate VPN connections from
remote users. I've got the config intact, but need to learn how the PIX handles
these connections internally.
Here's the relevant config:
access-list nonatvpn permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0
ip pool vpnswclient 192.168.1.2-192.168.1.254
nat (inside) 0 access-list nonatvpn
and I've got vpngroups defined per-user to pull from the vpnswclient pool and
split-tunnel based on the nonatvpn acl.
So my "inside" network is 192.168.0.0/24, and the vpnclients will get addressed
into 192.168.1.0/24 (correct?), and there will be no NAT on communication
between them. My question is, are my vpn clients in the same broadcast domain as
my "inside" interface, or will they be required to unicast to 192.168.0.x
addresses? Is there a way to influence how they can communicate?
I've been looking all over Cisco's website and can find plenty of configuration
examples, but nothing explaining how communication between the inside and vpn
clients is handled.
--
Jared Gillis - jared at corp.sonic.net Sonic.net, Inc.
Network Operations 2260 Apollo Way
707.522.1000 (Voice) Santa Rosa, CA 95407
707.547.3400 (Support) http://www.sonic.net/
More information about the cisco-nsp
mailing list