Can a PIX 501 pass data from remote VPN users over a second site-to-site VPN ?

Over the years, I have had reasonable, but basic exposure to setting up a number of VPNs.

However, these have EITHER been site-to-site OR Remote users into an HQ. I now have the following scenario:-

Currently setting up a new UK office, for which we have installed a PIX 501. We have established a working site-to-site VPN with the head office back in the States (to a 515E) and also have established working Remote User VPNs into the UK office.

However, what is also needed is for the Remote Users to access BOTH the UK AND USA networks at the same time (e.g. for File-and-print access to the UK LAN, whilst also picking up emails from the Exchange server on the USA LAN).

Is this possible ? Ideally, we do not want the UK Remote Users to connect to the USA PIX directly, due to load and licensing issues.

Other factors that may be pertinent are that the remote users typically have either Mac Powerbooks or various smartphones, so we are not using the Cisco Easy VPN Client.

I am led to believe that this had previously been successfully achieved in the old UK office (using a Netopia ADSL router). However, the guy that set that up is no longer around and the new office does not allow direct ADSL access (it is a managed suite with an ethernet interface into the landlord's own router).

Any help or guidance would be greatly appreciated, as we are up against the clock to get it completed.
Who is Participating?
calvinetterConnect With a Mentor Commented:
>Can a PIX 501 pass data from remote VPN users over a second site-to-site VPN
  No, but a 515e can IF it's running 7.x code.  The 6.x series software found on the 501 will *not* allow VPN traffic to enter & exit the same interface (aka "hairpinning" or the "VPN U-turn"), but 7.x series will.

>we do not want the UK Remote Users to connect to the USA PIX directly, due to load and licensing issues.
  If you can't connect directly to the 515e in the US, then I suggest you upgrade your 501 to a 515e with 7.x code.  This would allow you do have a site-to-site VPN to the US site, & will allow the UK VPN users to do the "hairpinning" to the US site.

  If getting a local 515 is out of the question, are you able to setup a Windows Terminal Server at your UK site? That way your UK users use client VPN to get into the 501 & connect to the TS server, from there they'll be able to connect to resources in the US office via the site-site VPN.

I assume if you're using the 501 that you won't ever require >9 simultaneous VPN users, since this model only supports 10 IPSec peers -> 9 VPN clients + the site-site VPN in your case.  And if you do use the max # of VPN clients, if the 501 is passing a lot of traffic, it may not be able to handle the load.  Another reason to consider moving up to a 515e, not to mention the fact that a 515e w/ 7.x code will avoid the VPN limitations of the 6.x series, & as a bonus you'll get a whole truckload of new features with 7.x.

Yo - calvinetter! Haven't seen you 'round these parts lately. Good to have you back!
Thanks lrmoore!  "The gods noticed me!"  Been *very* busy finishing up some time-consuming network projects.

horatio_tooAuthor Commented:

Many thanks for your swift and detailed reply, which confirmed the results of my own testing and research.

Thanks too, for the idea about a Terminal Server - it's really good to see somebody go 'the extra mile' in trying to provide a solution to the "underlying" problem.

Unfortunately, budget almost certainly means that putting either a 515e or a TS box into the UK office is a non starter.

Therefore, we are left with trying to make the best of the 501. Worst-case, there should not be more than 4-5 simultaneous VPN tunnels, so hopefully loading on it will not be too much of an issue.

For remote access, we will work on persuading our US colleagues to allow UK remote access to the HQ 515e. Unfortunately, their network engineer is now on vacation for a couple of weeks, so we will have to muddle through for a while.

I have (quite rightly) accepted your answer, but one last question. The HQ network engineer has been using the Cisco Easy VPN client to set up PC access to the HQ VPN. Do you happen to know if there is an equivalent product for Macs and if so, what parameters I will need to extract from my US colleagues ? From what I have seen of standard Mac VPNs, they appear to use PPTP with virtually NO configuration !

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.