[c-nsp] Question about Cisco PIX VPN

Jared Gillis jared at corp.sonic.net
Tue Jun 30 19:56:44 EDT 2009


Hi all,

I'm configuring a PIX 501 running v6.3.5 code to terminate VPN connections from
remote users. I've got the config intact, but need to learn how the PIX handles
these connections internally.
Here's the relevant config:

access-list nonatvpn permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0
ip pool vpnswclient 192.168.1.2-192.168.1.254
nat (inside) 0 access-list nonatvpn

and I've got vpngroups defined per-user to pull from the vpnswclient pool and
split-tunnel based on the nonatvpn acl.

So my "inside" network is 192.168.0.0/24, and the vpnclients will get addressed
into 192.168.1.0/24 (correct?), and there will be no NAT on communication
between them. My question is, are my vpn clients in the same broadcast domain as
my "inside" interface, or will they be required to unicast to 192.168.0.x
addresses? Is there a way to influence how they can communicate?

I've been looking all over Cisco's website and can find plenty of configuration
examples, but nothing explaining how communication between the inside and vpn
clients is handled.

-- 
Jared Gillis - jared at corp.sonic.net       Sonic.net, Inc.
Network Operations                        2260 Apollo Way
707.522.1000 (Voice)                      Santa Rosa, CA 95407
707.547.3400 (Support)                    http://www.sonic.net/


More information about the cisco-nsp mailing list