[Last Call] Learn how to a build a cloud-first strategyRegister Now


Use Cisco VPN client to establish VPN from one interface to another on same PIX

Posted on 2007-10-17
Medium Priority
Last Modified: 2010-04-09
I have a client where their backoffice network is behind a PIX 515 with multiple interfaces.  We are currently able to establish a VPN using the Cisco client to their network from the outside.  We just setup a wireless network that we want separated from the internal network but still have internet access.  We put that on its own interface on the PIX.  Everything works except when we are connected to the wireless network and want to VPN into the backoffice network on the other interface using the public IP on the PIX.  We can successfully VPN to other networks through the wireless, so there is nothing restricting outgoing traffic.  Is there something specific that needs to be configured to allow you to VPN from one interface to another?

I would prefer not to post the config file for security reasons, but I can post certain sections of it upon request.

Question by:ITLighthouse
1 Comment
LVL 19

Accepted Solution

nodisco earned 2000 total points
ID: 20097539
The reason this doesn't work is that when you are on the wireless network - to connect to the public ip address, your nat sends your traffic out the outside interface.  The address you are trying to reach is (either the PIX ip or a VPN server translated to the PIX ip) - either way the connection is then coming in from the outside.  The PIX will not let traffic come in the same interface it originated from.  

If you are using a VPN concentrator/internal PPTP server, you may be able to setup a translation for its internal server ip to the wireless network and then allow the proper ports through so the wifi clients can then access only this box on the necessary ports - but I don't think its possible to do this terminating on the PIX outside ip.


Featured Post

Exciting career futures for women in IT

Education has the power to transform lives and open the door to new career opportunities. By earning an IT degree from WGU, you can become a highly skilled IT professional. Get the credentials and certifications you need to become a leader in this rewarding field.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

OpenVPN is a great open source VPN server that is capable of providing quick and easy VPN access to your network on the cheap.  By default the software is configured to allow open access to your network.  But what if you want to restrict users to on…
For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses
Course of the Month17 days, 21 hours left to enroll

829 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question