its a bit difficult to explain. I have a VPN setup for my network and the entry points are at 2 different sites. Connections into the VPN is fine. Users are able to browse network resources as if they were on my network.

I now need to connect a user from one network made via VPN into mine to another network made via VPN to mine.

What configs can I give you?

Brad

Yes you can do this. What you are trying to do is have spoke to spoke communication via the hub site where the hub site is you and the spoke sites are the two remote sites.

Here is a link to do just that:-

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080093dc8.shtml

HTH

Jon

How and where would I configure split tunneling. Could that perhaps fix this problem?

I think what's happening here is that the VPN connection is using the default gateway of the remote network?

Am I right in saying that?

Brad

I might have misunderstood your requirements. This is what i thought you needed

Site A is your main site.

Site B is a remote site that connects to Site A via a VPN tunnel.

Site C is another remote site that connects to Site A via VPN.

You now need a user at Site B to be able to talk to Site C via Site A. Is this correct ?

Split tunneling is about sending some traffic down the VPN tunnel but other traffic not and is more to do with client VPN's than site to site VPN's.

So when the user at Site B wants to talk to a machine at Site C do you want it to go via your site A through the VPN tunnels. If you do the document i pointed you to should allow you to set this up.

If you need something else please let me know.

Jon

In a manner of speaking you are correct.

Site A - My network

Site B - Remote site connecting to Site A via ADSL using VPN Tunnel

Site C - Client network connecting to Site A via diginet line.

The goal here is to get Site B connected to a host on Site C via Site A.

The common thing here is Site A. We have access setup on Site to connect to all sites including site C.

Therefore when the ADSL router makes the VPN tunnel / connection to site A its as if site B is now on Site A's network. Therefore Site B should technically be able to connect to host on Site C .....but it aint working like that .....

Site B users have to create a 2nd VPN connection from their windows workstations and then only are they able to connect to hosts on Site C.

You all still with me? What the problem is?

Ok Brad i understand the requirement.

Can you clarify whether the clients at Site B are using client VPN's on their laptops or whether the VPN is a site-to-site VPN from the remote router to Site A.

Also if you could post the config of Site A vpn device that would help.

Jon

The router(B) creates a site(B)-to-site(A) VPN connection. What I have tried is make a seperate VPN connection from the User PC(Windows Based)and this still did not work. The connection still times out.

When I do a trace to the host(Site C) I am trying to connect to it goes via the Internet and not via the VPN connection to site A.

Is this access list?

Site A is using a Cisco 2650 through which all my VPN connections come in.

you still want the config for Site A?

Brad

if a trace goes via the internet then yes you will need to modify the acccess-lists on your devices.

On site B router you will have to add Site C subnets to the crypto map access-list.

On site C router you will need to add Site B subnets to the crypto map access-list.

On Site A you will need to update both crypto access-lists for both Site B & Site C.

HTH

Jon

are you referring to the SDM_RMAP statements?

Brad

Sorry, never used SDM. What i'm referring to is that in your config on the routers will be some crypto map entries. Under the crypto map statement there will be a "match address x" statement x being an access-list on your router.

This is the access-list you need to change.

Jon

Thanks .... i know now where to begin.

At site A have a 3640 which the VPN connection is made into and I also have a PIX firewall which controls access into my network. From both devices I can ping the Host on Site C. So it means the both devices can get to it.

If do a trace to that host it goes via the the WAN router(Site A) that Site C is connected to. So the routes exist and it doesn't look like I need to send it through my PIX first .....right?

Brad

Is the 3640 router the one that Site C is connected to or is that a different router ?

Jon