Both site to site and remote

[forumsviewer]

I have a couple of questions concerning remote VPN also known as road warrior mode. I have a PIX that I want to setup as site to site with another PIX but also VPN for remote worker such as at airports, hotels, etc.

Lets say the location of the PIX is on 192.168.1.0/24. When I setup the remote VPN, would I need to create a pool on that same 192.168.1.0/24 or does it have to be on something like 192.168.4.0/24 with split tunneling?

Can I have both site to site persistent VPN between this PIX and another as well as a remote VPN using Cisco Client software in Windows?

The remote worker needs full access to the network, including servers and mapped network drives on the network as well as uses the network internet for browsing, etc. So I assume the remote worker will actually be on the same subnet of 192.168.1.0/24 ?

 

[forumsviewer]

I should add to my thread by some discoveries and my thought process.

1. Of course I can have site to site AND remote going at the same time. I am sure there is a limit but i'm almost positive that I can have both at the same time as well.

2. I have been able to successfully connect via the Cisco VPN client in Windows to the PIX box. I get a local subnet (192.168.1.0 area) ip address, but I cannot ping the local network's router, servers, computers, mapped network drives, etc. I can access the internet, but it is the remote clients internet, not the pix side internet. The only way I could get internet at all was by enabling split tunnel.

The way I want to configure it is to that the remote VPN side obviously uses the internet to connect to the PIX VPN. From there, the remote internet side uses the internet of the PIX VPN side as well as has complete access to the PIX side network.

 

[forumsviewer]

Again, I will answer my own discoveries.

Using the internet from the main pix doesnt work (in and out the same outside port doesnt make sense when you think about it)

Also I had to run the commands:
isakmp identity address
isakmp nat-traversal 20

to get it working for internal ips

 

[unclerico]

would I need to create a pool on that same 192.168.1.0/24 or does it have to be on something like 192.168.4.0/24 with split tunneling

You should create a dedicated VPN Pool separate from your LAN network. Make sure that whatever device is your default gateway has a route back to this subnet

Using the internet from the main pix doesnt work (in and out the same outside port doesnt make sense when you think about it)

This is called hair-pinning and it is supported if you enter the following command:

ASA(config)# same-security-traffic permit intra-interface

If you need further help post a full scrubbed config of your device as well as a detailed description of your goals.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[forumsviewer]

same-security-traffic permit intra-interface looks like a ASA code not PIX 501?

 

[unclerico]

My bad, I should have asked what model you were using. No, that's not supported on the 501 since it can't be upgraded to the necessary OS.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)