Hi

I have a Central site with a VPN 3030 Concentrator, off this I have a LAN to LAN VPN working to site (A). I also have remote access VPN working.

What I am trying to do is, get the client to dial in through the remote access VPN then pass down the LAN to LAN VPN to get to the site (A)

I have modified all the NAS lists on the Concentrator and all the ACL’s on site A PIX

My findings so far are

1) Remote client creates a VPN connection with the 3030 Concentrators and gets address assigned from a pool (remote access VPN established)

2) Remote client pings a box in site (A)

3) The ping packet passes down the remote access VPN to the 3030 Concentrator, then over the LAN to LAN VPN to site (A), the ICMP packet gets decrypted by the PIX and the box then reply’s to the ICMP packet.

4) The Packet then leaves the PIX from site (A) encrypted back up the LAN to LAN connection to the 3030 Concentrator in the central site.

5) It stops here, the 3030Concentrator dose not forward the ICMP packet up the remote access VPN to the remote client.

How I established the ICMP packet was getting form the remote client to site (A) through the 3030 Concentrator in the central site and from site (A) back to the 3030 Concentrator in the central site. I checked the SA encrypted and SA decrypted counters. From this I can see the ICMP packet’s getting to site (A) and leaving site (A).

Also the ACL incremented on the PIX in Site (A) for ICMP for that IP I have no sysopt connection permit ipsec command enable on the PIX at site (A) so the VPN is bound to an access-list.

So I can not get the concentrator to forward the packet back out the public interface to the remote access vpn user.