It is my understanding with the PIX Firewalls that you cannot send IPSec traffic out the same interface that it received IPSec traffic on.
That is, if I connect to PIX-A using the VPN client, I will not be able to access resources behind PIX-B over the VPN tunnel between PIX-A and PIX-B.
The way I have circumvented this issue, is to have a host behind PIX-A that I can remotely attach to, a Windows box running Terminal Services, or a Unix/Linux box running SSH. I attach to that host over my client VPN connection, and then from that host, I access the resources behind PIX-B.
you cannot do this with a pix. the only solution (hack), is to have a multiple interface pix for site a, and configure the site to site tunnel to terminate on the non outside interface (this is an interface that in theory is higher security than the outside one, but you muck around so that it acts more like a secondary outside interface).
this solution requires a 515 at a minimum, to have a 3rd interface, or to use vlan interfaces.
apparently, cisco is working on a software solution for 7.0 pix os. pix do not allow packets to leave the interface they came in on - in your environment, vpn clients send packets to pix a's outside int. they would then need to leave that interface and go to pix b,which is not allowed by pix os.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :