Network Extension Mode - Cisco ISA550 Administration Manual

VPN
Configuring Teleworker VPN Client
Cisco ISA500 Series Integrated Security Appliances Administration Guide

Network Extension Mode

Network Extension Mode (NEM) specifies that the PCs and other hosts at the client
end of the VPN tunnel should be given IP addresses that are fully routable and
reachable by the destination network over the tunneled network so that they form
one logical network. PAT is not used, which allows the client PCs and hosts to have
direct access to the PCs and hosts at the destination network. In NEM mode, the
Cisco VPN hardware client obtains a private IP address from a local DHCP server
or is configured with a static IP address.
Figure 8 illustrates the network extension mode of operation. In this example, the
security appliance acts as a Cisco VPN hardware client, connecting to a remote
IPsec VPN server. The hosts attached to the security appliance have IP addresses
in the 10.0.0.0 private network space. The server does not assign an IP address to
the security appliance, and the security appliance does not perform NAT or PAT
translation over the VPN tunnel. When accessing the remote network
192. 1 68. 1 00.x, the hosts 10.0.0.3 and 10.0.04 will not be translated, and the hosts in
the remote network 192. 1 68. 1 00.x can access the hosts 10.0.0.3 and 10.0.04
directly.
The client hosts are given IP addresses that are fully routable by the destination
network over the VPN tunnel. These IP addresses could be either in the same
subnet space as the destination network or in separate subnets, assuming that the
destination routers are configured to properly route those IP addresses over the
VPN tunnel.
Figure 8 IPsec VPN Network Extension Connection
10.0.0.3
WAN
202.0.0.1
ISA500
as a Cisco IPSec
VPN Client
10.0.0.4
WAN
203.0.0.1
VPN tunnel
Internet
Cisco Device
as a Cisco IPSec
VPN Server
8
192.168.100.x
317