Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PIX to PIX to VPN-client question

I've got 2 pix 506 with release 6.3

Setup with a pix to pix vpn and each pix is configured for vpn-clients using cisco vpn dialer 3.5.1

Everything is working fine!


Is it possible for vpn-clients who are connecting to pix-a to reach the network behind pix-b over the pix to pix vpn connecting? If so how can I configure it?

If it's not possible what type of equipment do I need to implement this?


Stefan van Merrienboer



Re: PIX to PIX to VPN-client question

It should be possible to fo that. I am not too sure if additional configuration is required. You might want to check this list of sample configurations.


Re: PIX to PIX to VPN-client question

It is my understanding with the PIX Firewalls that you cannot send IPSec traffic out the same interface that it received IPSec traffic on.

That is, if I connect to PIX-A using the VPN client, I will not be able to access resources behind PIX-B over the VPN tunnel between PIX-A and PIX-B.

The way I have circumvented this issue, is to have a host behind PIX-A that I can remotely attach to, a Windows box running Terminal Services, or a Unix/Linux box running SSH. I attach to that host over my client VPN connection, and then from that host, I access the resources behind PIX-B.

Hope this helps.

New Member

Re: PIX to PIX to VPN-client question

try split-tunneling

Good luck !


Re: PIX to PIX to VPN-client question

you cannot do this with a pix. the only solution (hack), is to have a multiple interface pix for site a, and configure the site to site tunnel to terminate on the non outside interface (this is an interface that in theory is higher security than the outside one, but you muck around so that it acts more like a secondary outside interface).

this solution requires a 515 at a minimum, to have a 3rd interface, or to use vlan interfaces.

apparently, cisco is working on a software solution for 7.0 pix os. pix do not allow packets to leave the interface they came in on - in your environment, vpn clients send packets to pix a's outside int. they would then need to leave that interface and go to pix b,which is not allowed by pix os.

CreatePlease to create content