Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
361
Views
5
Helpful
3
Replies

VPN Tunnel over VPN Tunnel

Go to solution
braninl29
Level 1
Level 1

‎03-19-2008 10:25 AM - edited ‎02-21-2020 03:37 PM

My location is using a PIX 515 firewall to do both a site-to-site connection and allow remote users to VPN in to the local network. I have modified the IP addresses slightly, but in the attached configuration file, 10.20.20.0/24 is my local network, 10.30.30.0/24 is the network on the other side of the site-to-site VPN tunnel, 192.168.51.0/240 is the network for the VPN remote access users and 10.40.40.0/24 is the "network" between the PIX firewall and the local network router. Configuration is as follows: <local network> - <router> - <pix> - <Internet / VPN Site-to-Site>.

My problem is that I can successfully access computers on the 10.30.30.0 network from the 10.20.20.0 network, but I can't access 10.30.30.0 computers from the 192.168.51.0 network (although the 192.168.51.0 network can access computers on the 10.20.20.0 network).

In short, I'm trying to allow access to computers over the site-to-site VPN tunnel via users on the other side of the Remote-Access tunnel.

I have attached the running-configuration from the PIX firewall to this conversation.

Is there something I am missing?

Thanks.

Labels:
Preview file
7 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Richard Burts
Hall of Fame
Hall of Fame

‎03-19-2008 02:01 PM

Branin

What you are running into is a subtle restriction in the version of code that you are running. What you want to do is to have traffic come into the outside interface (as remote access VPN) and then be forwarded out the same interface (as site to site VPN). Some people refer to this as hairpinning traffic. And version 6.3.5 does not support this. Cisco introduced the ability to forward back out the same interface it was received on in version 7.0 code.

HTH

Rick

HTH

Rick

View solution in original post

3 Replies 3

Go to solution
Richard Burts
Hall of Fame
Hall of Fame

‎03-19-2008 02:01 PM

Branin

What you are running into is a subtle restriction in the version of code that you are running. What you want to do is to have traffic come into the outside interface (as remote access VPN) and then be forwarded out the same interface (as site to site VPN). Some people refer to this as hairpinning traffic. And version 6.3.5 does not support this. Cisco introduced the ability to forward back out the same interface it was received on in version 7.0 code.

HTH

Rick

HTH

Rick

Go to solution
braninl29
Level 1
Level 1
In response to Richard Burts

‎03-19-2008 02:38 PM

Thank you very much. You are exactly right in what I want to do. It's unfortunate I can't do it with 6.3.5, but I will look into upgrading the PIX.

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to braninl29

‎03-19-2008 07:51 PM

Branin

I am glad that my answer was helpful in identifying the issue and a potential solution. Upgrading the PIX to version 7 code has some memory requirements - so depending on the amount of memory in your PIX and on the type of license you may need to upgrade memory to be able to upgrade the code.

Thank you for using the rating system to indicate that your question was resolved (and thanks for the rating). It makes the forum more useful when people can read a question and can know that they will read a response that resolved the question.

The forum is an excellent place to learn about Cisco networking. I encourage you to continue your participation in the forum.

HTH

Rick

HTH

Rick
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents