Suggestions for a VPN peer intranet with remote VPN clients?
We have a geographically distributed environment: two physical locations and several remote employees. Employees need access to servers on both physical networks. Our idea was to establish a VPN between the two physical locations, and employees would connect to either physical location to access resources in that location OR the other location.
The two offices have SDSL, and we've setup a PIX 506 on either network to act as the firewall and VPN device. We've got a static VPN between the two locations using pre-shared keys, and that's working fine (each location can "see" servers at the other location).
Now we want to add VPN clients. When a client (using Cisco VPN Client 3.1.1) connects to either PIX, it can see servers on the network it connected to. But the problem is that it can't see servers on the other side of the PIX-to-PIX VPN.
I've been told by support that this is expected, because the PIX is not a router. My question is: what can be done to make it work? Is it possible to add some sort of router to allow clients to see the remote peer network?
Hopefully somebody else has already done this for other geographically-distributed offices, so I'd appreciate any advice you have. We're a small company, so a low-cost solution that (hopefully) leverages our existing PIX 506 investment is important.
Re: Suggestions for a VPN peer intranet with remote VPN clients?
I was informed by one of the Cisco SE's in the UK that the limitation is caused by the IPSec specification. He said that any encrypted packet coming into an interface that is decrypted can then not be send back out of the same interface. In your case (and in a few others I've come across) this would mean that packet can then not be send back through the outside interface across the Lan2Lan VPN.
I haven't had time to check the RFC's for this,I'd some more information on this myself, especially if you don't agree with it.
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...