Build up a full routing capaciity in PIX

I have installed several Cisco PIX in HQ and different branch offices. Say HQ ( BranchA (, Branch B ( Internet is the only WAN link connecting each Branchs office and HQ.

When my VPN client connecting ot HQ PIX, it could only route to the server located Is there any way to configure my HQ PIX (or additional with any equipment) so that this VPN client could able to route to other Branch office through the HQ PIX.

My HQ has already divided in serveral VLAN. (, inaddition to If I install a local router on my HQ which could allow it to route across these VLANs and my local lan. Afterwards, I install a static route in my HQ PIX. Could then allow my remote Cisco VPN client to access these VLAN once they form a tunnel with my  HQ PIX ?

route inside [internal router]  -> enable VPN client to VLAN1
route inside [internal router]  -> enable VPN client to VLAN2
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

>...any way to configure my HQ PIX... so that this VPN client could able to route to other Branch office through the HQ PIX
  Not if the HQ PIX is running 6.x software.  PIX versions <7.x won't allow encrypted (VPN) traffic to enter & leave the same interface.

  See below for some examples with PIX v7.x:


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
You may configure multiple VPN connection, one to each location from the VPN Clients.

As calvinetter  said earlier, you can not do it from the single connection, unles you have newer version of PIX.
A possible workaround, if all your PIXes are 6.x:
- setup a "fully-meshed" site-to-site VPN between all PIXes
- also configure client VPN access to all PIXes
- IF you have a Terminal Server or users have a desktop PC available at one of the locations
...They could then connect to a single location via Cisco VPN client, RDP (or PCanywhere, VNC, etc) to a workstation & from there access all other branches.

  Here's an example of a fully-meshed config between 3 sites (example uses old version 6.1, but otherwise is a good example):
  Other IPSec config examples:

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.