Can a remote client (Network C) VPN intothrough router a Pix (Network A) and access Network B

Can a remote client (Network C) VPN into a Pix (Network A) and access network b

Network A = Local LAN 10.100.100.0
Network B  Remote LAN 10.200.200.0
Networks A and B connected by 1700 routers
Have a PIX 501 on network A for internet


I can ping network B from the Pix inside interface (network A)
I can NOT access anything from network B when connected to the VPN (Network C)
Internet and Network A access works with the default gateway being the router through the VPN

Heres the configs

1700 Router


interface FastEthernet0
 description XXXXXXX - XXXXXX
 ip address 10.100.100.254 255.255.255.0
 ip broadcast-address 10.100.100.255
 ip helper-address 10.200.200.1
 no ip mroute-cache
 speed 100
 full-duplex
!
interface Serial0
 description To XXXXXXXXX
 bandwidth 56
 ip address 10.250.250.38 255.255.255.252
 no ip mroute-cache
 fair-queue
!
router eigrp 100
 network 10.0.0.0
 auto-summary
 no eigrp log-neighbor-changes
!
no ip classless
no ip forward-protocol udp nameserver
no ip forward-protocol udp domain
no ip forward-protocol udp time
no ip forward-protocol udp netbios-ns
no ip forward-protocol udp netbios-dgm
no ip forward-protocol udp tacacs
ip route 0.0.0.0 0.0.0.0 10.100.100.252
no ip http server
!
logging 10.200.200.1
access-list 1 permit 10.0.0.0 0.255.255.255
access-list 1 deny   any
snmp-server community reymon RO


PIX




fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list inside_outbound_nat0_acl permit ip 10.100.100.0 255.255.255.0 10.0.0.0 255.255.255.224
access-list outside_cryptomap_dyn_20 permit ip any 10.0.0.0 255.255.255.224
access-list outside_cryptomap_dyn_40 permit ip any 10.0.0.0 255.255.255.224
access-list 101 permit ip 10.100.100.0 255.255.255.0 10.0.0.0 255.255.255.224
ip local pool RemoteVPN 10.0.0.10-10.0.0.20
pdm location 0.0.0.0 0.0.0.0 inside
pdm location 10.100.100.0 255.255.255.0 inside
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 XX.XX.XX.XX 1
route inside 10.200.200.0 255.255.255.0 10.100.100.254 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication LOCAL
crypto map outside_map interface outside
isakmp enable outside
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup VPNClient address-pool RemoteVPN
vpngroup VPNClient dns-server 4.2.2.1 4.2.2.2
vpngroup VPNClient split-tunnel 101
vpngroup VPNClient idle-time 1800
williaj2Asked:
Who is Participating?
 
Jody LemoineNetwork ArchitectCommented:
Unfortunately, this isn't going to work on the PIX.  What you're trying to do is have the device route traffic from a VPN tunnel out across another VPN tunnel on the same interface.  The PIX 501 just doesn't have this capability.  If you reversed the roles and had the 1700 as your hub, this wouldn't be a problem though.  The 1700 is a router and can handle this sort of thing where the PIX can't.
0
 
3nerdsCommented:
Just a quick question here as i am coming to the same conclusion as Jody but I figured it would be easier to ask a couple of questions.

Network setup:

Network B (1700) ----> Network A (1700)--->(ASA)---> Internet (VPN) ---> Network C (1700)

What type of connection is between the 1700 at network connection A and the 1700 at Network B? Alos if this drawing is inaccurate please update it.

Regards,

3nerds
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.