LAN-to-LAN involving PIX and VPN

Apparently this isn't a widely used setup?

I have 2 offices...

Office 1
- PIX 515e with DMZ card
- VPN 3005 Concentrator connected to the DMZ card

Office 2
- PIX 515e
- VPN 3005 Concentrator

I have a LAN-to-LAN setup between the 2 sites, both VPN's can ping
eachother, I've added routing to the PIX's (as they're the networks
default route) to route all the other offices traffic to the VPN
Concentrator first.

The problem I have is that the routing doesn't work. It appears that
from Office 2, the packets go from the client, to the PIX, the PIX then
does PAT translation before sending them to the VPN, where the VPN has
no idea what to do with the packets which now have an external IP.

In reverse, the problem could be the same, however it could also be that
the Office 2 network is unable to respond correctly as it can't find the
correct route.

If I write a logon script (AD domain) to statically set a route on all
the machines to route directly the VPN's if needed, everything will work
fine... but should I have to do this? I would like to think that there's
a nice clean way of accomplishing this without making a static change
on every machine.

I've probably been a bit too vague with my setup above, let me know if
you need things clearing up. I've followed the Cisco guides for setting
up the LAN-to-LAN, and this is all functioning correctly, everything
seems to be doing it's job properly, it's just the machines can't find
the correct route to take, and packets are getting lost...

Many thanks in advance for any help...

Chris K

 

:The problem I have is that the routing doesn't work. It appears that
:from Office 2, the packets go from the client, to the PIX, the PIX then
:does PAT translation before sending them to the VPN, where the VPN has
:no idea what to do with the packets which now have an external IP.

Why not use nat 0 access-list to disable that address translation ?

 

Will this work as all traffic routing out of the PIX into the VPN is
coming out of the public interface? Does it not have to perform some
sort of translation? Will this force it to route back through the
private interface?

Sorry for the questions, my only Cisco knowledge is what I've taught
myself from these machines in the past 6 months...

 

:> Why not use nat 0 access-list to disable that address translation ?

:Will this work as all traffic routing out of the PIX into the VPN is
:coming out of the public interface?

Yes.

oes it not have to perform some sort of translation?

The -outer- packet will have your public IP on it, but the
encapsulated packet would use the original private IPs. The outer
packet layer is transparent for this purpose (except for some fine
points having to do with ACLs on some IOS routers.)