[Last Call] Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 198
  • Last Modified:

Build up a full routing capaciity in PIX

I have installed several Cisco PIX in HQ and different branch offices. Say HQ ( BranchA (, Branch B ( Internet is the only WAN link connecting each Branchs office and HQ.

When my VPN client connecting ot HQ PIX, it could only route to the server located Is there any way to configure my HQ PIX (or additional with any equipment) so that this VPN client could able to route to other Branch office through the HQ PIX.

My HQ has already divided in serveral VLAN. (, inaddition to If I install a local router on my HQ which could allow it to route across these VLANs and my local lan. Afterwards, I install a static route in my HQ PIX. Could then allow my remote Cisco VPN client to access these VLAN once they form a tunnel with my  HQ PIX ?

route inside [internal router]  -> enable VPN client to VLAN1
route inside [internal router]  -> enable VPN client to VLAN2
  • 2
3 Solutions
>...any way to configure my HQ PIX... so that this VPN client could able to route to other Branch office through the HQ PIX
  Not if the HQ PIX is running 6.x software.  PIX versions <7.x won't allow encrypted (VPN) traffic to enter & leave the same interface.

  See below for some examples with PIX v7.x:

You may configure multiple VPN connection, one to each location from the VPN Clients.

As calvinetter  said earlier, you can not do it from the single connection, unles you have newer version of PIX.
A possible workaround, if all your PIXes are 6.x:
- setup a "fully-meshed" site-to-site VPN between all PIXes
- also configure client VPN access to all PIXes
- IF you have a Terminal Server or users have a desktop PC available at one of the locations
...They could then connect to a single location via Cisco VPN client, RDP (or PCanywhere, VNC, etc) to a workstation & from there access all other branches.

  Here's an example of a fully-meshed config between 3 sites (example uses old version 6.1, but otherwise is a good example):
  Other IPSec config examples:


Featured Post

New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now