03-19-2008 10:25 AM - edited 02-21-2020 03:37 PM
My location is using a PIX 515 firewall to do both a site-to-site connection and allow remote users to VPN in to the local network. I have modified the IP addresses slightly, but in the attached configuration file, 10.20.20.0/24 is my local network, 10.30.30.0/24 is the network on the other side of the site-to-site VPN tunnel, 192.168.51.0/240 is the network for the VPN remote access users and 10.40.40.0/24 is the "network" between the PIX firewall and the local network router. Configuration is as follows: <local network> - <router> - <pix> - <Internet / VPN Site-to-Site>.
My problem is that I can successfully access computers on the 10.30.30.0 network from the 10.20.20.0 network, but I can't access 10.30.30.0 computers from the 192.168.51.0 network (although the 192.168.51.0 network can access computers on the 10.20.20.0 network).
In short, I'm trying to allow access to computers over the site-to-site VPN tunnel via users on the other side of the Remote-Access tunnel.
I have attached the running-configuration from the PIX firewall to this conversation.
Is there something I am missing?
Thanks.
Solved! Go to Solution.
03-19-2008 02:01 PM
Branin
What you are running into is a subtle restriction in the version of code that you are running. What you want to do is to have traffic come into the outside interface (as remote access VPN) and then be forwarded out the same interface (as site to site VPN). Some people refer to this as hairpinning traffic. And version 6.3.5 does not support this. Cisco introduced the ability to forward back out the same interface it was received on in version 7.0 code.
HTH
Rick
03-19-2008 02:01 PM
Branin
What you are running into is a subtle restriction in the version of code that you are running. What you want to do is to have traffic come into the outside interface (as remote access VPN) and then be forwarded out the same interface (as site to site VPN). Some people refer to this as hairpinning traffic. And version 6.3.5 does not support this. Cisco introduced the ability to forward back out the same interface it was received on in version 7.0 code.
HTH
Rick
03-19-2008 02:38 PM
Thank you very much. You are exactly right in what I want to do. It's unfortunate I can't do it with 6.3.5, but I will look into upgrading the PIX.
03-19-2008 07:51 PM
Branin
I am glad that my answer was helpful in identifying the issue and a potential solution. Upgrading the PIX to version 7 code has some memory requirements - so depending on the amount of memory in your PIX and on the type of license you may need to upgrade memory to be able to upgrade the code.
Thank you for using the rating system to indicate that your question was resolved (and thanks for the rating). It makes the forum more useful when people can read a question and can know that they will read a response that resolved the question.
The forum is an excellent place to learn about Cisco networking. I encourage you to continue your participation in the forum.
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide