This is an unusuall setup that is beyond my understanding of VPN tunnels and ACL's.
The network that I'm working with is shared by two organizations that use one PIX (506E) for inet access.
Organization A uses the native lan (192.168.1.0 Inside)
Organization B is on the same network but behind an 1811 which has 2 WAN interfaces one pointing to the PIX (192.168.1.2) for Inet access and one pointing to a 128k secure private network (X.X.X.X)
The users behind the 1811 are on the native vlan 192.168 0.0 and wish to deploy a site to site VPN either from the PIX to a VPN concentrator or through the PIX from the 1811 to the the VPN concentrator using the inet T1 attached to the PIX.
My question is: Can I pass a site to site VPN tunnel originating on the 1811 through the PIX to the VPN server
(3000 series concentrator) and still have remote VPN client access to the PIX? ( I'm fairly certain I can't since I'll have to enable IPSEC pass through and therefore VPN remote clients won't work)
or
Can I set up a site to site VPN using the PIX with an ACL that will only encrypt traffic originating from the 1811 VLAN (192.168.0.0)?
One more important note is that I'm using PAT on the PIX for all outbound traffic since I have limited IP's (5)
This can be rectified but from what I've read has a bearing on what I want to do here.
I'm sure this sounds somewhat ridiculous using an 1811 behind a 506E but this is what the customer has and I have to work with. It is primarily due to the additional private WAN that organization B uses.
Any help would be greatly appreciated.
If I get some more time I'll post a link to a Visio of the networks to make it easier to see what I'm attempting to accomplish.
Thanks
The network that I'm working with is shared by two organizations that use one PIX (506E) for inet access.
Organization A uses the native lan (192.168.1.0 Inside)
Organization B is on the same network but behind an 1811 which has 2 WAN interfaces one pointing to the PIX (192.168.1.2) for Inet access and one pointing to a 128k secure private network (X.X.X.X)
The users behind the 1811 are on the native vlan 192.168 0.0 and wish to deploy a site to site VPN either from the PIX to a VPN concentrator or through the PIX from the 1811 to the the VPN concentrator using the inet T1 attached to the PIX.
My question is: Can I pass a site to site VPN tunnel originating on the 1811 through the PIX to the VPN server
(3000 series concentrator) and still have remote VPN client access to the PIX? ( I'm fairly certain I can't since I'll have to enable IPSEC pass through and therefore VPN remote clients won't work)
or
Can I set up a site to site VPN using the PIX with an ACL that will only encrypt traffic originating from the 1811 VLAN (192.168.0.0)?
One more important note is that I'm using PAT on the PIX for all outbound traffic since I have limited IP's (5)
This can be rectified but from what I've read has a bearing on what I want to do here.
I'm sure this sounds somewhat ridiculous using an 1811 behind a 506E but this is what the customer has and I have to work with. It is primarily due to the additional private WAN that organization B uses.
Any help would be greatly appreciated.
If I get some more time I'll post a link to a Visio of the networks to make it easier to see what I'm attempting to accomplish.
Thanks