I have a home office and two remote sites I am setting up with VPN tunnels. My architecture is:
External router from ISP (cisco 1700)
Interal network 192.168.1.0 255.255.255.0
Remote location 1
External router from ISP
Internal network 192.168.2.0 255.255.255.0
Remote location 2
Internal network 192.168.3.0 255.255.255.0
I have a tunnel between the three locations however I cannot communicate with servers across the tunnel. I need to backup servers at the home location to remote location 1 and need to have remote location 2 access both the home office and remote location 1 via the VPN tunnel. On the Pix units I show the tunnel as being up however I cannot see the servers on each subnet.
Most documentation (as well as the recent Cisco PIX book) I have found indicates that I do not need a router on the internal networks but I have found some references that I do. I spoke to post-sales Cisco support with the vendor I purchased the firewalls from who indicated that I do need routers internally at each location. I need to verify if this is correct or if I can configure the PIX units to allow the subnets to communicate.
On all three units I am running PIX IOS 6.2 and PDM 2.1
No, you don't need routers at each site internally. Keep in mind that with the PIX at the head-end you won't be able to route through it from Remote1 to Remote2, the PIX won't route a packet back out the same interface it came in on, that includes routing an IPsec packet from one tunnel back out to another. If you want to go from Remote1 to Remote2, you'll have to set up a tunnel directly between the two, so you have fully-meshed tunnels between all 3 sites (see http://www.cisco.com/warp/public/110/pixmeshed.html for details).
When you say you cannot "see the servers" over the tunnel, do you mean you can't ping them or you can't see them in Network Neighborhood. Pinging them should be simple, just make sure you set up the PIX's as shown in the sample config above (pay particular attention to your nat 0 access-list). Seeing them via MS Networking is a whole different ball game, since this relies heavily on WINS and multicast packets, which generally don't go over VPN's too well.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...