Thanks in advance for any help offered.
I am trying to workaround the lack of hairpinning on the PIX501, by using an internal 1721 router that serves as an IPSEC headend for VPN clients. Here is what I am trying:
Remote users with Cisco VPN client (v4.7 or 4.8) connect to a 1721 router that is sitting behind the PIX501. This works fine. (I have a NAT for the router and access-list allowing ESP and UDP 500 and 10000).
The PIX 501 has a working site-to-site tunnel with a 3rd party. That works fine.
I need the ability for the remote users to connect to servers at the 3rd party site. Since the PIX501 won't support hairpinning, I can't have remote users connect to the PIX and then out to the 3rd party.
The expect traffic flow would be;
remote - PIX - 1721 - PIX - 3rd party
Of course, I wouldn't be posting here if I could get it to work. I have seen it done before, so I am sure it is possible, but I am missing something in my config.
I have nat-traversal enabled on the PIX and the needed static routes. My ACL for the site-to-site tunnel does include the remote user network as a permitted source. The packets are routed from the remote client to the PIX, but not into the tunnel.
"sho ipsec sa" on the PIX shows no packets from the remote users being encrypted (for the tunnel to the 3rd party).
Any ideas? Thanks in advance