Cannot pass traffic destined for another network through VPN

Unanswered Question
May 14th, 2007
User Badges:


I've configured a VPN between 2 offices. I can send data from the head office to the remote office. My problem is that the remote office needs to connect to other offices though the head office. Please see the attachments for the 2 route configs (ABC-Cardiff = head office, ABC-Swansea= remote office).

Users in the remote office 10.41.X.X need to connect to servers in another office 10.10.X.X through the cardiff office 10.40.X.X.

Can anyone advise me how to edit the configs to allow the remote office access to all networks. A traceroute from the remote office to shows that the traffic isn;t going down the VPN connection.

If any of this doesn't make sense please let me know and I will be happy to provide further info.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
bwilmoth Fri, 05/18/2007 - 05:38
User Badges:
  • Silver, 250 points or more

It looks like you are trying to setup Hub and spoke VPN.

Hub-and-spoke topology is not supported in PIX version 6.x because version 6.x does not redirect traffic back out the same interface it was received on.

This feature is also known as traffic redirection or hairpinning and is supported in PIX version 7.x.

Refer this link for config:


The first reply is technically correct if you had two VPN sites connected to your head office, and wanted to establish connections between the two vpn sites.

Thats certainly my scenario.

Your scenario, your VPN is only configured to match the traffic for the 10.4x. networks.

At your head office you route via

You need to ensure your ACL's 100 and 101 permit and deny the traffic to the same way your currently doing between 10.40 and 10.41

Hope that helps

PS - on both ends!!!


This Discussion