mnm327   0 pts.  |   Apr 7 2005  11:34AM GMT

If both sites are on the same subnet then they will never communicate through the PIX when talking to each other therefore they will never use the VPN you’ve built. If you want to set up a vpn between the two site they will need to be on different subnets so that their traffic gets routed through the PIX.

rgoulding   0 pts.  |   Apr 8 2005  3:33AM GMT

This is what I thought at first but I saw examples of people with other firewalls that have done this, just not on the pix. They seemed to use l2tp on top of the VPN I think. However, you wouldn’t think it would be so hard just to forward all the broadcasts accross the VPN as that is all that is required??
Incidentally, I don’t need to do this now as I have managed to sort it out on a different subnet. The orignal reason I couldn’t do this was due to some politics within the company!
Thanks for your help.

TR1947   0 pts.  |   Apr 9 2005  3:01PM GMT

When both sender and destination IP numbers are on the same subnet (as determined by the subnet mask on the sender machine), the only broadcast be will the ARP request from the sender. If there is no response to that ARP, the sender will not try to send anything to the default route (the PIX). So unless the PIX is set up to do proxy ARP by responding with its MAC for any IP, it will not see anything sent from the sender host to be able to send it through the VPN.
You need to configure the PIX as a layer 2 device so that it can respond to every ARP with its own MAC. It will then receive all traffic and forward what is not directly local though the VPN. The PIX will need to create an ARP table for all IP’s on both sides of the VPN to be able to do this. This will also mean that all local traffic is transmitted twice, slowing down everything.