Solved

Can a PIX 501 pass data from remote VPN users over a second site-to-site VPN ?

Posted on 2006-07-21
5
223 Views
Last Modified: 2010-04-12
Over the years, I have had reasonable, but basic exposure to setting up a number of VPNs.

However, these have EITHER been site-to-site OR Remote users into an HQ. I now have the following scenario:-

Currently setting up a new UK office, for which we have installed a PIX 501. We have established a working site-to-site VPN with the head office back in the States (to a 515E) and also have established working Remote User VPNs into the UK office.

However, what is also needed is for the Remote Users to access BOTH the UK AND USA networks at the same time (e.g. for File-and-print access to the UK LAN, whilst also picking up emails from the Exchange server on the USA LAN).

Is this possible ? Ideally, we do not want the UK Remote Users to connect to the USA PIX directly, due to load and licensing issues.

Other factors that may be pertinent are that the remote users typically have either Mac Powerbooks or various smartphones, so we are not using the Cisco Easy VPN Client.

I am led to believe that this had previously been successfully achieved in the old UK office (using a Netopia ADSL router). However, the guy that set that up is no longer around and the new office does not allow direct ADSL access (it is a managed suite with an ethernet interface into the landlord's own router).

Any help or guidance would be greatly appreciated, as we are up against the clock to get it completed.
 
0
Comment
Question by:horatio_too
  • 3
5 Comments
 
LVL 20

Accepted Solution

by:
calvinetter earned 500 total points
Comment Utility
>Can a PIX 501 pass data from remote VPN users over a second site-to-site VPN
  No, but a 515e can IF it's running 7.x code.  The 6.x series software found on the 501 will *not* allow VPN traffic to enter & exit the same interface (aka "hairpinning" or the "VPN U-turn"), but 7.x series will.

>we do not want the UK Remote Users to connect to the USA PIX directly, due to load and licensing issues.
  If you can't connect directly to the 515e in the US, then I suggest you upgrade your 501 to a 515e with 7.x code.  This would allow you do have a site-to-site VPN to the US site, & will allow the UK VPN users to do the "hairpinning" to the US site.

  If getting a local 515 is out of the question, are you able to setup a Windows Terminal Server at your UK site? That way your UK users use client VPN to get into the 501 & connect to the TS server, from there they'll be able to connect to resources in the US office via the site-site VPN.

cheers
0
 
LVL 20

Expert Comment

by:calvinetter
Comment Utility
I assume if you're using the 501 that you won't ever require >9 simultaneous VPN users, since this model only supports 10 IPSec peers -> 9 VPN clients + the site-site VPN in your case.  And if you do use the max # of VPN clients, if the 501 is passing a lot of traffic, it may not be able to handle the load.  Another reason to consider moving up to a 515e, not to mention the fact that a 515e w/ 7.x code will avoid the VPN limitations of the 6.x series, & as a bonus you'll get a whole truckload of new features with 7.x.

cheers
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
Yo - calvinetter! Haven't seen you 'round these parts lately. Good to have you back!
0
 
LVL 20

Expert Comment

by:calvinetter
Comment Utility
Thanks lrmoore!  "The gods noticed me!"  Been *very* busy finishing up some time-consuming network projects.

cheers
0
 

Author Comment

by:horatio_too
Comment Utility
Calvinetter

Many thanks for your swift and detailed reply, which confirmed the results of my own testing and research.

Thanks too, for the idea about a Terminal Server - it's really good to see somebody go 'the extra mile' in trying to provide a solution to the "underlying" problem.

Unfortunately, budget almost certainly means that putting either a 515e or a TS box into the UK office is a non starter.

Therefore, we are left with trying to make the best of the 501. Worst-case, there should not be more than 4-5 simultaneous VPN tunnels, so hopefully loading on it will not be too much of an issue.

For remote access, we will work on persuading our US colleagues to allow UK remote access to the HQ 515e. Unfortunately, their network engineer is now on vacation for a couple of weeks, so we will have to muddle through for a while.

I have (quite rightly) accepted your answer, but one last question. The HQ network engineer has been using the Cisco Easy VPN client to set up PC access to the HQ VPN. Do you happen to know if there is an equivalent product for Macs and if so, what parameters I will need to extract from my US colleagues ? From what I have seen of standard Mac VPNs, they appear to use PPTP with virtually NO configuration !





0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Overview Often, we set up VPN appliances where the connected clients are on a separate subnet and the company will have alternate internet connections and do not use this particular device as the gateway for certain servers or clients. In this case…
Secure VPN Connection terminated locally by the Client.  Reason 442: Failed to enable Virtual Adapter. If you receive this error on Windows 8 or Windows 8.1 while trying to connect with the Cisco VPN Client then the solution is a simple registry f…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

7 Experts available now in Live!

Get 1:1 Help Now