horatio_too
asked on
Can a PIX 501 pass data from remote VPN users over a second site-to-site VPN ?
Over the years, I have had reasonable, but basic exposure to setting up a number of VPNs.
However, these have EITHER been site-to-site OR Remote users into an HQ. I now have the following scenario:-
Currently setting up a new UK office, for which we have installed a PIX 501. We have established a working site-to-site VPN with the head office back in the States (to a 515E) and also have established working Remote User VPNs into the UK office.
However, what is also needed is for the Remote Users to access BOTH the UK AND USA networks at the same time (e.g. for File-and-print access to the UK LAN, whilst also picking up emails from the Exchange server on the USA LAN).
Is this possible ? Ideally, we do not want the UK Remote Users to connect to the USA PIX directly, due to load and licensing issues.
Other factors that may be pertinent are that the remote users typically have either Mac Powerbooks or various smartphones, so we are not using the Cisco Easy VPN Client.
I am led to believe that this had previously been successfully achieved in the old UK office (using a Netopia ADSL router). However, the guy that set that up is no longer around and the new office does not allow direct ADSL access (it is a managed suite with an ethernet interface into the landlord's own router).
Any help or guidance would be greatly appreciated, as we are up against the clock to get it completed.
However, these have EITHER been site-to-site OR Remote users into an HQ. I now have the following scenario:-
Currently setting up a new UK office, for which we have installed a PIX 501. We have established a working site-to-site VPN with the head office back in the States (to a 515E) and also have established working Remote User VPNs into the UK office.
However, what is also needed is for the Remote Users to access BOTH the UK AND USA networks at the same time (e.g. for File-and-print access to the UK LAN, whilst also picking up emails from the Exchange server on the USA LAN).
Is this possible ? Ideally, we do not want the UK Remote Users to connect to the USA PIX directly, due to load and licensing issues.
Other factors that may be pertinent are that the remote users typically have either Mac Powerbooks or various smartphones, so we are not using the Cisco Easy VPN Client.
I am led to believe that this had previously been successfully achieved in the old UK office (using a Netopia ADSL router). However, the guy that set that up is no longer around and the new office does not allow direct ADSL access (it is a managed suite with an ethernet interface into the landlord's own router).
Any help or guidance would be greatly appreciated, as we are up against the clock to get it completed.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Yo - calvinetter! Haven't seen you 'round these parts lately. Good to have you back!
Thanks lrmoore! "The gods noticed me!" Been *very* busy finishing up some time-consuming network projects.
cheers
cheers
ASKER
Calvinetter
Many thanks for your swift and detailed reply, which confirmed the results of my own testing and research.
Thanks too, for the idea about a Terminal Server - it's really good to see somebody go 'the extra mile' in trying to provide a solution to the "underlying" problem.
Unfortunately, budget almost certainly means that putting either a 515e or a TS box into the UK office is a non starter.
Therefore, we are left with trying to make the best of the 501. Worst-case, there should not be more than 4-5 simultaneous VPN tunnels, so hopefully loading on it will not be too much of an issue.
For remote access, we will work on persuading our US colleagues to allow UK remote access to the HQ 515e. Unfortunately, their network engineer is now on vacation for a couple of weeks, so we will have to muddle through for a while.
I have (quite rightly) accepted your answer, but one last question. The HQ network engineer has been using the Cisco Easy VPN client to set up PC access to the HQ VPN. Do you happen to know if there is an equivalent product for Macs and if so, what parameters I will need to extract from my US colleagues ? From what I have seen of standard Mac VPNs, they appear to use PPTP with virtually NO configuration !
Many thanks for your swift and detailed reply, which confirmed the results of my own testing and research.
Thanks too, for the idea about a Terminal Server - it's really good to see somebody go 'the extra mile' in trying to provide a solution to the "underlying" problem.
Unfortunately, budget almost certainly means that putting either a 515e or a TS box into the UK office is a non starter.
Therefore, we are left with trying to make the best of the 501. Worst-case, there should not be more than 4-5 simultaneous VPN tunnels, so hopefully loading on it will not be too much of an issue.
For remote access, we will work on persuading our US colleagues to allow UK remote access to the HQ 515e. Unfortunately, their network engineer is now on vacation for a couple of weeks, so we will have to muddle through for a while.
I have (quite rightly) accepted your answer, but one last question. The HQ network engineer has been using the Cisco Easy VPN client to set up PC access to the HQ VPN. Do you happen to know if there is an equivalent product for Macs and if so, what parameters I will need to extract from my US colleagues ? From what I have seen of standard Mac VPNs, they appear to use PPTP with virtually NO configuration !
cheers