Pix client to several sites via VPN

[lgarner]

I have set up two Pix 515E's at two locations, and created a tunnel between them, like so:

lanA -- pixA -- internet -- pixB -- lanB

All works normally, so far. Now, I set up client VPN access on pixA and assign addresses to the clients from a range on lanA. Also working- the clients can connect to pixA and access addresses on lanA. But, they cannot see lanB.

Some of the main configuration parts are (paraphrased):
access-list splittunnel permit ip lanA/24 any
access-list splittunntl permit ip lanB/24 any
access-list nonat permit ip lanA/24 lanB/24

Both lanA and lanB appear in the client's list of protected networks. Before getting too deep in this and posting configurations, I'm hoping that someone has managed to get this working and can point me in the direction of the most likely issue- acl, nat, etc.

Thanks.
Lee.

 

[themut]

It will never work with the PIX... If you want to see LAN B from the VPN client connection you need to end the tunnel at either a router or VPN concentrator on site A. The reason is the PIX is not able to route packets back on the same interface they arrived.

 

[lgarner]

Drat. That's the conclusion that I've been coming to, though I thought the rules might be different for VPN use.

One option might be to subnet the internet segment and use two public interfaces, but I've been looking at the 3000 series concentrator and like that idea much better.

Thanks for the answer.

Lee.