[c-nsp] Question about Cisco PIX VPN
Peter Rathlev
peter at rathlev.dk
Tue Jun 30 20:51:46 EDT 2009
On Tue, 2009-06-30 at 16:56 -0700, Jared Gillis wrote:
> So my "inside" network is 192.168.0.0/24, and the vpnclients will get
> addressed into 192.168.1.0/24 (correct?), and there will be no NAT on
> communication between them.
Correct, your "nat (inside) 0 acccess-list nonatvpn"
> My question is, are my vpn clients in the same broadcast domain as
> my "inside" interface, or will they be required to unicast to
> 192.168.0.x addresses? Is there a way to influence how they can
> communicate?
No, they're not in the same broadcast domain. The PIX sort of
"terminates" the clients on the "outside" interface. Ex: assigned IP
addresses must be routed to the outside.
With the "sysopt connection permit-ipsec" you implicitly allow all
traffic from VPN users. Alternatively you open up your "outside" ACL to
permit relevant traffic. PIX/ASA v7 and newer have the "vpn-filter"
feature for fine grained control of what VPN users can and cannot reach.
> I've been looking all over Cisco's website and can find plenty of
> configuration examples, but nothing explaining how communication
> between the inside and vpn clients is handled.
"Product support" lists some configuration examples that might be of
interest:
http://www.cisco.com/en/US/customer/products/hw/vpndevc/ps2030/prod_configuration_examples_list.html
Regards,
Peter
More information about the cisco-nsp
mailing list