VPN
Configuring the Cisco IPSec VPN Client
Cisco ISA500 Series Integrated Security Appliance Administrator Guide
241
8
Figure 7
illustrates the client mode of operation. In this example, the security
appliance provides access to two PCs, which have IP addresses in the 10.0.0.0
private network space. These PCs connect to the Ethernet interface on the
security appliance, and the server assigns an IP address 192.168.101.2 to the
security appliance. The security appliance performs NAT or PAT translation over
the VPN tunnel so that the PCs can access the destination network. When
accessing the remote network 192.168.100.x, the hosts 10.0.0.3 and 10.0.04 will
be translated to 192.168.101.2, but hosts in the remote network 192.168.100.x can
not access the hosts 10.0.0.3 and 10.0.04.
Figure 8 Cisco IPSec VPN Client Connection
Network Extension Mode
Network Extension Mode (NEM) specifies that the PCs and other hosts at the client
end of the VPN tunnel should be given IP addresses that are fully routable and
reachable by the destination network over the tunneled network so that they form
one logical network. PAT is not used, which allows the client PCs and hosts to have
direct access to the PCs and hosts at the destination network. In NEM mode, the
Cisco VPN hardware client obtains a private IP address from a DHCP server over
the VPN tunnel.
illustrates the network extension mode of operation. In this example, the
security appliance acts as a Cisco VPN hardware client, connecting to a remote
Cisco IPSec VPN Server. The hosts attached to the security appliance have IP
addresses in the 10.0.0.0 private network space. The server does not assign an IP
address to the security appliance, and the security appliance does not perform
I
S
A500
as
a
Ci
s
co IP
S
ec VPN Client
(192.16
8
.101.2)
10.0.0.3
10.0.0.4
Internet
Ci
s
co Device
as
a
Ci
s
co IP
S
ec VPN
S
erver
192.168.100.x
VPN
t
u
nnel
In
s
ide
10.0.0.0
WAN
202.0.0.1
WAN
20
3
.0.0.1