[VPN] Re: VPN ACCESS TO TWO LOCATIONS

Dana J. Dawson Dana.Dawson at qwest.com
Thu Dec 8 12:05:38 EST 2005 

If the two VPN connections are both terminated in the same PIX, then  
you can't do this unless you're running the new 7.0 PIX software.  It  
sounds like that's not the case in this situation, so it should be  
possible to make it work.  The key in this case is to make sure the  
access-lists that define the local and remote networks/subnets of the  
site-to-site VPN tunnel include the users at the remote end of the  
client VPN tunnel(s).  For example, if the site-to-site VPN between  
you and the parent company is configured to allow your 192.168.1.0/24  
network to talk to their 10.1.1.0/24 network, and the VPN clients  
connecting to your PIX are getting addresses assigned from an address  
pool using 172.16.1.0/24 addresses, then you'll need to add the  
172.16.1.0/24 network to the access-lists that are configured in your  
router and the router at the parent site.  In your router, the new  
ACL line would list 172.16.1.0/24 as the source and 10.1.1.0/24 as  
the destination.  In the parent router the new access-list line will  
list 10.1.1.0/24 as the source and 172.16.1.0/24 as the destination.   
You'll also have to make sure the routing is correct at all the  
involved locations and devices, since VPN's aren't "traffic  
magnets".  That is, the packets to be encrypted have to already be  
routed in the correct directions, as if there were no VPN's - the  
encryption then happens because the packets match the crypto access- 
lists that are associated with the crypto map on the outgoing  
interfaces.

I hope this helps - Good luck!

Dana

---
Dana J. Dawson                     Dana.Dawson at qwest.com
Sr. Staff Engineer                 CCIE #1937
Qwest Communications               JNCIA-FWV
600 Stinson Blvd., Suite 1S
Minneapolis  MN  55413-2620

On Dec 7, 2005, at 7:55 PM, Venkat Kaushik wrote:

> We have VPN tunnel from  my company to parent company  through  cisco
> routers
> it works fine for us to acces their corporate network as long as we  
> are in
> the office
>
> We also use VPN through PIX  for the clients/users to access our  
> network
> from outside
>
> now  I want to connect to the parent company through our comany  by  
> cisco
> vpn client  ie
> from Outside  using cisco vpn client iI connect  to corporate  
> network   once
> i am into our network I want to reach the parent network i 
> (intranet) it is
> not working
> The parent company  told me to disable split-tunneling  which I did  
> still
> not working  is this conf possible
> if so what do ineed change
>
> thanks
>
> Venkat
>
> _________________________________________________________________
> Express yourself instantly with MSN Messenger! Download today -  
> it's FREE!
> http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
>
> _______________________________________________
> VPN mailing list
> VPN at lists.shmoo.com
> http://lists.shmoo.com/mailman/listinfo/vpn

More information about the VPN mailing list