internet traffic throug site-to-site vpn

Unanswered Question
Mar 6th, 2007


I have a site-to-site VPN (office A & office B) setup. The VPN tunnel is running fine. What I want to achieve now is to have all the internet traffic pass through the tunnel from office B to A. So office B will be my gateway for all the traffic. So if I am in office A I can internet through office B via the VPN.

Do you have any ideas or configuration examples to do this?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Kamal Malhotra Tue, 03/06/2007 - 08:03


This is possible depending on the topology and the hardware/software of the tunnel endpoints (device A and B). So please let us know what hardware and software is being used for tunnel termination on each end especially on Site A so thata we can suggest you something.



rtmnl4300 Tue, 03/06/2007 - 08:17


I forgot to metion that I am using 2 pix 506 with 6.3 (5) software on each site.

Here is also the config of office A

rtmnl4300 Tue, 03/06/2007 - 08:37

ok, so software 6 will not help me with this, i need to upgrade to software 7 right?

can the 506 series take software 7?

or my other option is to use the vpn client, and do split tunneling? from office A

acomiskey Tue, 03/06/2007 - 08:45

The PIX 501, PIX 506/506E, and PIX 520 security appliances are not supported in software Version 7.0.

Second part of you question, what do you want to accomplish?

rtmnl4300 Tue, 03/06/2007 - 09:00

ok, so the only thing that I can do is to configure the remote access vpn on the 506 pix in office B. So the user will be able to internet with the VPN client. Is this possible with the VPN client ver.4.6 ?

acomiskey Tue, 03/06/2007 - 09:03

They should be able to get to the internet with the tunnel in place. It just won't be bouncing off the head end pix.

Kamal Malhotra Tue, 03/06/2007 - 08:51


You need to configure a regular LAN to LAN tunnel. You will not be able to redirect the internet traffic from a PIX 506 running 6.3.5. However if you have a proxy server behind the PIX B then you will be able to redirect it from the proxy server. Please be informed that it will be the HTTP traffic only in that case. If this is how you wanna go about it then you need to configure destination 'any' in the PIX A's crypto ACL and 'any' as source in the PIX B's crypto ACL.

If you don't have the proxy server, then you need to define specific subnets in the crypto ACL on each end.


Please rate if it helps.




This Discussion