Hope these aren't stupid questions, but here goes, some background first: I have a PIX 515 6.3(5) at head office; remote sites are 1720's or
1750's running a flavor of 12.1 (due to memory shortage, cannot upgrade) connected via site to site VPNs to this PIX. I have 3 questions that I can't seem to sort out. Please help me if you know the answers:
- Can I use BGP with the 1700s over this VPN to my network of routers that are on the internal network? Are there any caveats in this situation? My Internal routers are connected via Frame/Wireless/dedicated lines to a 3640 on the internal network, and are already successfully running BGP?
- How can I route traffic from one remote VPN site to another remote VPN site. I have added the appropriate subnets to the crypto ACL on each router, and added entries to the NAT 0 ACL, but still can't route between VPN subnets. Any idea what else is needed? The VPN remote sites can all successfully route to the other internal(non VPN) WAN sites.
- Currently I have to bounce these VPN remote site users off an internal proxy in order to allow them to browse the internet. This is a problem for me as squid is not passing the credentials to our Websense server, preventing me from tracking usage of individuals, as they all appear to be the same user to Websense. Is there a PIX rule where traffic can't go back out the same interface it came in on? I seem to remember something like this, but can't find the info again. Is there a workaround to this situation? Something I'm missing?
thanks tical