LAN-to-LAN involving PIX and VPN

Apparently this isn't a widely used setup?

I have 2 offices...

Office 1 - PIX 515e with DMZ card - VPN 3005 Concentrator connected to the DMZ card

Office 2 - PIX 515e - VPN 3005 Concentrator

I have a LAN-to-LAN setup between the 2 sites, both VPN's can ping eachother, I've added routing to the PIX's (as they're the networks default route) to route all the other offices traffic to the VPN Concentrator first.

The problem I have is that the routing doesn't work. It appears that from Office 2, the packets go from the client, to the PIX, the PIX then does PAT translation before sending them to the VPN, where the VPN has no idea what to do with the packets which now have an external IP.

In reverse, the problem could be the same, however it could also be that the Office 2 network is unable to respond correctly as it can't find the correct route.

If I write a logon script (AD domain) to statically set a route on all the machines to route directly the VPN's if needed, everything will work fine... but should I have to do this? I would like to think that there's a nice clean way of accomplishing this without making a static change on every machine.

I've probably been a bit too vague with my setup above, let me know if you need things clearing up. I've followed the Cisco guides for setting up the LAN-to-LAN, and this is all functioning correctly, everything seems to be doing it's job properly, it's just the machines can't find the correct route to take, and packets are getting lost...

Many thanks in advance for any help...

Chris K

Reply to
Chris Kranz
Loading thread data ...

In article , Chris Kranz wrote: :The problem I have is that the routing doesn't work. It appears that :from Office 2, the packets go from the client, to the PIX, the PIX then :does PAT translation before sending them to the VPN, where the VPN has :no idea what to do with the packets which now have an external IP.

Why not use nat 0 access-list to disable that address translation ?

Reply to
Walter Roberson

In article , Chris Kranz wrote: :Walter Roberson wrote: :> Why not use nat 0 access-list to disable that address translation ?

:Will this work as all traffic routing out of the PIX into the VPN is :coming out of the public interface?

Yes.

:Does it not have to perform some sort of translation?

The -outer- packet will have your public IP on it, but the encapsulated packet would use the original private IPs. The outer packet layer is transparent for this purpose (except for some fine points having to do with ACLs on some IOS routers.)

Reply to
Walter Roberson

Will this work as all traffic routing out of the PIX into the VPN is coming out of the public interface? Does it not have to perform some sort of translation? Will this force it to route back through the private interface?

Sorry for the questions, my only Cisco knowledge is what I've taught myself from these machines in the past 6 months...

Reply to
Chris Kranz

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.