Solved

Cisco PIX VPN over a second external connection

Posted on 2006-10-30
2
271 Views
Last Modified: 2013-11-16
I have a pix 515 running 7.2(1)

I have a T1 and cable modem connection currently all users surf over the cable modem.

I would like to know if its possible to allow VPN users to connect over the T1? If so what special do I need to setup.

Thanks
0
Comment
Question by:citslogin
2 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 17838635
Well . . . yes . .  and no..
The issue is that you apparently have the cable modem set as the default gateway.
You can have VPN users come in over the T1 to a separate interface on the PIX quite easily, except for the fact that the default path goes through the cable modem.
PIX-T1 interface has a different IP from T1 ISP - say 12.34.56.2
Client at home has IP address 24.222.22.22
Client tries to connect to 12.34.56.2
Request comes in through the T1
PIX has to respond back to 24.222.22.22
PIX looks in route table and only finds default to 63.44.55.6 - the cable route
PIX replies through the cable route
Client expecting reply from 12.34.56.2 but get reply from 63.44.55.6 and drops attempt to connect

The only way around this is to add specific static routes in the PIX for each remote client user:
 route t1_interface 24.222.22.22 255.255.255.255 12.34.56.1  <== to reply back to this client, go out the T1

What if users are all mobile (that's the idea mostly, anyway - right)? That's the problem..
As long as you can get the mostly stationary users' home IP's then  you can add appropriate routes to them. If they're all on the same cable vendor they should mostly have the same IP address range - 24.222.0.0 and you can add a static network route like that  pointing out the T1

0
 
LVL 1

Author Comment

by:citslogin
ID: 17843489
this is exactly what Im seeing.

Thanks alot.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
cannot send E-mails to one company 15 91
Cisco ASDM device NT domain question 4 44
Issue with seeing default gateway on ASA 5506 firewall 4 47
Using VLAN Interface in ASA 5 32
When I upgraded my ASA 8.2 to 8.3, I realized that my nonat statement was failing!   The log showed the following error:     %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows It was caused by the config upgrade, because t…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question