Pix 515 with two ADSL Routers

I have a VPN working perfectly with a central office PIX 515, and five remote offices PIX 501. I also have several Cisco VPN Software Mobile Clients. There is one ADSL router in each office.

Now, i want to add another ADSL Router in the Central office in order to separate VPN traffic and Internet traffic from the central office. So , what i need is all the VPN traffic through Router A, and the rest through Router B.

I was thinking of setting in the PIX 515 static routes to the 5 remote offices private ip range through one of the routers (Router A),  and the default gateway through Router B.

Will this be enough? Do i need static routes to the public IP's of every remote offices?

What about the Mobile Clients? Will it work if i add static routes to the IP pools assigned to them? Anything else needed?

I forgot to mention that if i have this VPN working just fine, is 75% thanks to Esperts Exchange (ok, 25% thanks to me :).

Who is Participating?
lrmooreConnect With a Mentor Commented:
> Do i need static routes to the public IP's of every remote offices?
Yes, you need static routes for both the remote lan and for the public IP of each and every office to point to router A

 route outside <LAN subnet remote1> <ip router A>
 route outside <public ip of remote1> <ip router A>
 route outside <public ip of remote2> <ip router A>
 route outside <LAN subnet remote2> <ip router A>
 route outside <ip router B>

>What about the Mobile Clients? Will it work if i add static routes to the IP pools assigned to them? Anything else needed?
Ah, this is the challenge. Unless you know the home IP public IP address and create a static route entry for each remote user, then they will continue to use the current Router B because that's the default.

Big question - are you getting both router A and router B public IP's in the same subnet? You can only assign a single public IP to the PIX outside interface, so all three will have to be in the same IP subnet.

If you wait long enough, the new PIX 7.0 lets you create GRE tunnels to the remotes and then you can use dynamic routing within the GRE tunnels. It's available for the 515 today, but not for the little 506 or 501's.. 7.1 "lite" is just around the corner...


Sounds like a good plan. Check out this link. http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a0080089909.html#wp10289

You need static routes to the subnets behind the 501's, the routers will know which public IP address to send the packets to in order to get to the appropriate LAN. Make sense? Mobile clients?
I don;t see the relevence of that question. They plug in, wherever, get an IP and the routers and firewalls do their thing. Nothing else to do there.


A network map would help. I'm wondering what offices have servers, and how the connections at the central office to the Internet are.

> 7.1 "lite" is just around the corner...
Good to know - thanks.

llandajuelaAuthor Commented:
Thank you guys for your answers !

Let's see, to lrmoore, as usual your answers are very useful. Im afraid i will not be able to have a list of the public IPs used by the mobile clients, they move around a lot. It's ok, their traffic is not that important, ill be happy if i can separate at least the remote offices' traffic.

About the public IP's of Router A and B, no they're not in the same subnet. But Both routers are performing NAT (well, what Cisco calls PAT). So private IP's of Routers A and B, and the outside interface of the PIX are on the same subnet (private range).

To matthew

No servers are in the remote offices, just two servers in the central one.

Remote office 1       Remote Office 2    .....

Internal LAN             ....
  PIX 501
  Router ADSL
  |            |
  |               |
  |                   |
  |                       |
  Router A      Router B
        |               |
        |               |
           PIX 515
           Internal LAN

       Central Office

Ok.  Just

 route outside <ip router B>

should do the trick; the VPN config should take care of continuing to route everything else through router A.

Proviso: are any servers at teh central office accessed OTHER than over the VPN?  I'm assuming not.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.