Need Site to Site VPN Help. How to route to a network not directly connected through VPN

I don't think this should be too hard, but I have a general question. I setup a Site to Site VPN between a Pix 515 and Pix 501(Easy Enough). The hard part is getting the internal networks to talk. I network the PCs is on connects to a Proxy Server, which then connects to the PIX

515. The PC network is 10.1.0.0/16 and the Proxy Server has an interface on that LAN, and the network directly connected to the PIX 515(192.168.100.0/24) as well. The remote LAN that I'm trying to access is 10.4.1.0/24. My ACL for NONAT is setup between 10.1.0.0 and 10.4.1.0. I'm not sure if I have to NONAT between 192.168.100.0 and 10.4.1.0, and then add a route into the Proxy Server, or if I keep it the way I have, and then add some sort of "route inside or outside" command to the PIX. Any help would be greatly appreciated. A diagram of the config can be found here:
formatting link
THANKS for the HELP!
Reply to
Evolution
Loading thread data ...

You'll need a router behind the PIX on the internal network and point the routes on the PIX to the router on the inside.

Chuck

Reply to
Charles U Farley

Yes. The traffic that leaves the ESAFE Proxy is 192.168.100.3 so that is the IP address that will be trying to access 10.4.1/24 .

You won't need any "route" statement for what you have described.

However, your diagram indicates that you need full access from 10.1/16 to 10.4.1/24 . To me, that implies that you want 10.1/16 to go -directly- to 10.4.1/24 instead of having all the activity proxied through the ESafe Proxy at 192.168.100.3.

If you want to somehow bypass the ESAFE Proxy when going to 10.4.1/24 then you will need a LAN router to cross-connect the PIX and the PCs without going through ESAFE, or else you will need to configure ESAFE to pass those particular packets on unchanged; either way, you -would- want a route inside statement on the PIX that pointed 10.1/16 destination traffic through the router (first case) or ESAFE box (second case).

Reply to
Walter Roberson

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.