Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1594
Views
0
Helpful
1
Replies

how to access remote site over IPSEC through vpn client ?

Vibi Abraham
Level 1
Level 1

‎05-30-2011 07:19 AM - edited ‎02-21-2020 05:22 PM

In my Cisco PIX-515E Version 6.3(5), I have a IPSec VPN tunnel and also to the same firewall home users connect through VPN client. I am unable to find a solution that allows my home users to connect to office network and again access the remote network through the IPSec tunnel.

Please help.

Labels:
0 Helpful
1 Reply 1

Vikas Saxena
Cisco Employee
Cisco Employee

‎06-02-2011 09:57 PM

Hello Vibi,

In PIX 6.3.5 it is not possible to U turn the traffic. So the VPN client users will not be able to go to the Remote Office connected to your PIX via IPSEC tunnel.The rule PIX follows is that you cannot go out the same interface through which you come in without crossing any other interface. Since in the case of U-Turning the traffic from the VPN client will get decrypted on the outside interface and the routing (for remote office network) will point to outside again, the traffic will fail.

Solutions:

=======

Upgrade PIX 515 to 7.x and use same-security-traffic permit [inter/intra] interface command with nat (outside) 0 ,

OR (The complicated one but successfully implemented at many locations)

======================================================

On the outside interface of PIX 515 6.3.5 create sub interfaces. Say e0/1.1 and e0/1.2 (Create two interfaces out of 1)

Both interfaces will have separate public ip address.

E0/1.1 will have the default gateway pointed to its next hop and will be used by the VPN client.

E0/1.2 will be used by the IPSEC L2L to the remote office and will have static route pointing to the peer ip and as well as to the remote network (just like IPSEC terminated on any other interface but the default interface (DG)). The E0/1.2 interface is just like a DMZ and will have lower security interface (6.x code can not have two interfaces with the same security level) Therefore regular natting rules will be followed.

To implement this solution you either have another router infront of this PIX or your ISP must coordinate with you so that you can have dot1q running on the ISP router as well.

BTW: The PIX codes (either 6.7 or 8) are out of engineering.

-Vikas

0 Helpful
Customers Also Viewed These Support Documents