Hello again,

I'm to connect our other office's PIX with ours via an IPSEC tunnel. Both of the PIXes also have VPN clients connected to each. After this is completed, my boss wants to be able to offer our users the ability to VPN into either PIX. It looks something like this:

VPN Clients West ----- PIX West ----- PIX East ----- VPN Clients East

The actual configuration is straight-forward enough. My question is, will VPN Clients West be able to pass traffic through PIX West and into PIX East's network (accessing servers or something), and can VPN Clients East do the same for PIX West's network?

http://cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080093bd3.shtml

That's the Cisco doc on configuring PIX-to-PIX-to-PIX IPSec (Hub and spoke), which looks like this: PIX Central / \ PIX2 PIX3

In this config example from Cisco, it specifically states that "The two outlying networks [PIX2 and PIX3] will not be able to communicate with each other by going through the central PIX because the PIX will not route traffic received on one interface back out the same interface."

IIRC, what they're describing is called Router-on-a-stick, which the PIX does not do (this I know from firsthand experience). In my first example, traffic from VPN Clients West would travel to PIX West's outside interface, and then be routed out again through that outside interface to PIX East. The same thing would again happen in reverse, if VPN Clients East were trying to access PIX West's network.

So, is there anyway to get this setup working? Or will those users wanting to access resources behind PIX East need to VPN into PIX East?

Thanks again, Tony