Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Suggestions for a VPN peer intranet with remote VPN clients?

Unanswered Question
Nov 5th, 2001
User Badges:

We have a geographically distributed environment: two physical locations and several remote employees. Employees need access to servers on both physical networks. Our idea was to establish a VPN between the two physical locations, and employees would connect to either physical location to access resources in that location OR the other location.

The two offices have SDSL, and we've setup a PIX 506 on either network to act as the firewall and VPN device. We've got a static VPN between the two locations using pre-shared keys, and that's working fine (each location can "see" servers at the other location).

Now we want to add VPN clients. When a client (using Cisco VPN Client 3.1.1) connects to either PIX, it can see servers on the network it connected to. But the problem is that it can't see servers on the other side of the PIX-to-PIX VPN.

I've been told by support that this is expected, because the PIX is not a router. My question is: what can be done to make it work? Is it possible to add some sort of router to allow clients to see the remote peer network?

Hopefully somebody else has already done this for other geographically-distributed offices, so I'd appreciate any advice you have. We're a small company, so a low-cost solution that (hopefully) leverages our existing PIX 506 investment is important.

Thanks in advance!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
rjphillips Tue, 11/13/2001 - 04:55
User Badges:


I was informed by one of the Cisco SE's in the UK that the limitation is caused by the IPSec specification. He said that any encrypted packet coming into an interface that is decrypted can then not be send back out of the same interface. In your case (and in a few others I've come across) this would mean that packet can then not be send back through the outside interface across the Lan2Lan VPN.

I haven't had time to check the RFC's for this,I'd some more information on this myself, especially if you don't agree with it.


rtzen Wed, 11/14/2001 - 15:20
User Badges:

Would adding a VPN Concentrator and having clients connect to that device (instead of the PIX) solve the problem?


This Discussion