Tough VPN-to-PIX question

[veneficuss]

PIX vpn and inside interface look like this :

|Gateway|--|concentrator|--|pix|--|routerA|--|routerB|

subnets connected to routerA :
192.168.100.0
192.100.100.0
subnets connected to routerB :
192.7.7.0
194.6.6.0

On PIX : all subnets were statically applied so that VPN users could use the actual addresses (no translations).

On Concentrator : static routes for all the above nets were created and point to the PIX

The Problem :
We have taken all of the PIX restrictions off, to allow IP, TCP & ICMP access. VPN clients can go through the concentrator and reach routerA and all directly connected nets.
Users CANNOT reach routerB or any of those nets.

HEEEELP

tried everything. Why cant users hop to the next router? We are able to ping routerB networks from all routerA networks. Anyone have any ideas?

everyone is using RIP v1/2

 

[yizhar]

HI.

You can try to redesign the network, and put the VPN box behind the pix (inside), or better on a dedicated pix interface (or 2).
This will better protect the VPN box from external attacks, and can solve some of your problems without punching too many holes in the firewall.

What do you think?

Can you provide more details about your problem?

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[veneficuss]

goto this site to see a picture of the network.

http://24.184.198.213:8080/vpnhelp/