Can a PIX 501 pass data from remote VPN users over a second site-to-site VPN ?

Posted on 2006-07-21
Medium Priority
Last Modified: 2010-04-12
Over the years, I have had reasonable, but basic exposure to setting up a number of VPNs.

However, these have EITHER been site-to-site OR Remote users into an HQ. I now have the following scenario:-

Currently setting up a new UK office, for which we have installed a PIX 501. We have established a working site-to-site VPN with the head office back in the States (to a 515E) and also have established working Remote User VPNs into the UK office.

However, what is also needed is for the Remote Users to access BOTH the UK AND USA networks at the same time (e.g. for File-and-print access to the UK LAN, whilst also picking up emails from the Exchange server on the USA LAN).

Is this possible ? Ideally, we do not want the UK Remote Users to connect to the USA PIX directly, due to load and licensing issues.

Other factors that may be pertinent are that the remote users typically have either Mac Powerbooks or various smartphones, so we are not using the Cisco Easy VPN Client.

I am led to believe that this had previously been successfully achieved in the old UK office (using a Netopia ADSL router). However, the guy that set that up is no longer around and the new office does not allow direct ADSL access (it is a managed suite with an ethernet interface into the landlord's own router).

Any help or guidance would be greatly appreciated, as we are up against the clock to get it completed.
Question by:horatio_too
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
LVL 20

Accepted Solution

calvinetter earned 2000 total points
ID: 17153442
>Can a PIX 501 pass data from remote VPN users over a second site-to-site VPN
  No, but a 515e can IF it's running 7.x code.  The 6.x series software found on the 501 will *not* allow VPN traffic to enter & exit the same interface (aka "hairpinning" or the "VPN U-turn"), but 7.x series will.

>we do not want the UK Remote Users to connect to the USA PIX directly, due to load and licensing issues.
  If you can't connect directly to the 515e in the US, then I suggest you upgrade your 501 to a 515e with 7.x code.  This would allow you do have a site-to-site VPN to the US site, & will allow the UK VPN users to do the "hairpinning" to the US site.

  If getting a local 515 is out of the question, are you able to setup a Windows Terminal Server at your UK site? That way your UK users use client VPN to get into the 501 & connect to the TS server, from there they'll be able to connect to resources in the US office via the site-site VPN.

LVL 20

Expert Comment

ID: 17153478
I assume if you're using the 501 that you won't ever require >9 simultaneous VPN users, since this model only supports 10 IPSec peers -> 9 VPN clients + the site-site VPN in your case.  And if you do use the max # of VPN clients, if the 501 is passing a lot of traffic, it may not be able to handle the load.  Another reason to consider moving up to a 515e, not to mention the fact that a 515e w/ 7.x code will avoid the VPN limitations of the 6.x series, & as a bonus you'll get a whole truckload of new features with 7.x.

LVL 79

Expert Comment

ID: 17157301
Yo - calvinetter! Haven't seen you 'round these parts lately. Good to have you back!
LVL 20

Expert Comment

ID: 17158818
Thanks lrmoore!  "The gods noticed me!"  Been *very* busy finishing up some time-consuming network projects.


Author Comment

ID: 17159206

Many thanks for your swift and detailed reply, which confirmed the results of my own testing and research.

Thanks too, for the idea about a Terminal Server - it's really good to see somebody go 'the extra mile' in trying to provide a solution to the "underlying" problem.

Unfortunately, budget almost certainly means that putting either a 515e or a TS box into the UK office is a non starter.

Therefore, we are left with trying to make the best of the 501. Worst-case, there should not be more than 4-5 simultaneous VPN tunnels, so hopefully loading on it will not be too much of an issue.

For remote access, we will work on persuading our US colleagues to allow UK remote access to the HQ 515e. Unfortunately, their network engineer is now on vacation for a couple of weeks, so we will have to muddle through for a while.

I have (quite rightly) accepted your answer, but one last question. The HQ network engineer has been using the Cisco Easy VPN client to set up PC access to the HQ VPN. Do you happen to know if there is an equivalent product for Macs and if so, what parameters I will need to extract from my US colleagues ? From what I have seen of standard Mac VPNs, they appear to use PPTP with virtually NO configuration !


Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Overview Often, we set up VPN appliances where the connected clients are on a separate subnet and the company will have alternate internet connections and do not use this particular device as the gateway for certain servers or clients. In this case…
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Suggested Courses

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question