VPN
Configuring Teleworker VPN Client
Cisco ISA500 Series Integrated Security Appliances Administration Guide 367
8
Network Extension Mode (NEM) specifies that the PCs and other hosts at the client
end of the VPN tunnel should be given IP addresses that are fully routable and
reachable by the destination network over the tunneled network so that they form
one logical network. PAT is not used, which allows the client PCs and hosts to have
direct access to the PCs and hosts at the destination network. In NEM mode, the
Cisco VPN hardware client obtains a private IP address from a local DHCP server
or is configured with a static IP address.
Figure 8 illustrates the network extension mode of operation. In this example, the
security appliance acts as a Cisco VPN hardware client, connecting to a remote
IPsec VPN server. The hosts attached to the security appliance have IP addresses
in the 10.0.0.0 private network space. The server does not assign an IP address to
the security appliance, and the security appliance does not perform NAT or PAT
translation over the VPN tunnel. When accessing the remote network
192.168.100.x, the hosts 10.0.0.3 and 10.0.04 will not be translated, and the hosts in
the remote network 192.168.100.x can access the hosts 10.0.0.3 and 10.0.04
directly.
The client hosts are given IP addresses that are fully routable by the destination
network over the VPN tunnel. These IP addresses could be either in the same
subnet space as the destination network or in sep arate su bnets, a ssumin g that th e
destination routers are configured to properly route those IP addresses over the
VPN tunnel.
Figure 8 IPsec VPN Network Extension Conne ction
ISA500
as a Cisco IPSec
VPN Client
Internet
Cisco Device
as a Cisco IPSec
VPN Server
192.168.100.x
10.0.0.3
10.0.0.4
VPN tunnel
WAN
202.0.0.1
WAN
203.0.0.1
283056