I have a PIX at "HQ", which authenticates users on an inside ACS server (Cisco 2.6) using VPN Groups. The inside LAN is 192.168.1.0/24, remote users get an address from the 192.168.6.0/24 pool. Remote users have full access to inside LAN, works great. Now...our remote office is also behind a PIX. They are on the 192.168.2.0/24 subnet. users on the .1 and the .2 subnet can see eachother fine, there is a a IPSEC tunnel btwwn the 2 PIX's. DIAL in users on the .6 subnet, while they can access the .1 'net, can't access the .2 'net, no matter what I do with access lists, authentication, or phases of the moon. Pix version is 6.1.0. Users are using 3.1.1 Cisco VPN client on W2K. Any ideas? Help?
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
VPN access to 2 PIX's?
- Thread starter tpcolson
- Start date
HI.
If I get this right (a diagram could helped), you want remote VPN clients connected to pix1, access the 192.168.2.0 network which is behind pix2 via the "site to site" VPN tunnel between pix1 & pix2. Right?
I understand that the pix won't do that because the pix will never (as far as I know) forward traffic to the interface it came from - vpn client comes from "outside" and you want the pix to forward packets to remote office back via "outside".
Other options - none is perfect..
* Think again - do you realy need vpn access to the remote office? Can you redesign the network and place resources needed for remote users at the main office only (and better in DMZ)?
* Allow vpn client connections directly to the remote office pix.
* Configrure a VPN server inside (behind) the pix in the main office, like an NT/2000 RAS server with PPTP.
This will be able to give remote clients access to both networks, but this configuration will have many other disadvantages so I do not recommend unless you must.
You can also do a similar workaround and place a VPN server in the remote office instead.
* Implement a terminal server at the main office.
Remote clients will connect to it with VPN, and use it to access resources on remote office.
Bye
Yizhar Hurwitz
If I get this right (a diagram could helped), you want remote VPN clients connected to pix1, access the 192.168.2.0 network which is behind pix2 via the "site to site" VPN tunnel between pix1 & pix2. Right?
I understand that the pix won't do that because the pix will never (as far as I know) forward traffic to the interface it came from - vpn client comes from "outside" and you want the pix to forward packets to remote office back via "outside".
Other options - none is perfect..
* Think again - do you realy need vpn access to the remote office? Can you redesign the network and place resources needed for remote users at the main office only (and better in DMZ)?
* Allow vpn client connections directly to the remote office pix.
* Configrure a VPN server inside (behind) the pix in the main office, like an NT/2000 RAS server with PPTP.
This will be able to give remote clients access to both networks, but this configuration will have many other disadvantages so I do not recommend unless you must.
You can also do a similar workaround and place a VPN server in the remote office instead.
* Implement a terminal server at the main office.
Remote clients will connect to it with VPN, and use it to access resources on remote office.
Bye
Yizhar Hurwitz
- Status
Similar threads
- Locked
- Question
- Locked
- Question
- Locked
- Question