My location is using a PIX 515 firewall to do both a site-to-site connection and allow remote users to VPN in to the local network. I have modified the IP addresses slightly, but in the attached configuration file, 10.20.20.0/24 is my local network, 10.30.30.0/24 is the network on the other side of the site-to-site VPN tunnel, 192.168.51.0/240 is the network for the VPN remote access users and 10.40.40.0/24 is the "network" between the PIX firewall and the local network router. Configuration is as follows: <local network> - <router> - <pix> - <Internet / VPN Site-to-Site>.
My problem is that I can successfully access computers on the 10.30.30.0 network from the 10.20.20.0 network, but I can't access 10.30.30.0 computers from the 192.168.51.0 network (although the 192.168.51.0 network can access computers on the 10.20.20.0 network).
In short, I'm trying to allow access to computers over the site-to-site VPN tunnel via users on the other side of the Remote-Access tunnel.
I have attached the running-configuration from the PIX firewall to this conversation.
Is there something I am missing?
What you are running into is a subtle restriction in the version of code that you are running. What you want to do is to have traffic come into the outside interface (as remote access VPN) and then be forwarded out the same interface (as site to site VPN). Some people refer to this as hairpinning traffic. And version 6.3.5 does not support this. Cisco introduced the ability to forward back out the same interface it was received on in version 7.0 code.