This is what I have:

AAA Server (main office) <---> PIX 515 <--- IPSec tunnel ---> PIX 501
<--> Satellite office

My question is can the PIX 501 use the AAA server thru the tunnel? I
have a couple of users that use the Cisco VPN client to connect to the
515 and get authenticated using the AAA server. But all the resources
they use are in the Satellite office and I would like them to just
establish the VPN to the 501.

Thanks,

Shahid

In article <1141533233.705545.266560@v46g2000cwv.googlegroups .com>,
shahidsheikh....com <shahidsheikh10@yahoo.com> wrote:
In theory, Yes. I believe I've seen a cisco configuration example
for that case (but I'm not sure I could find it now.)

Here is a Cisco example of paaing SNMP and syslog over a PIX VPN
tunnel.

See no reason why AAA could not use similiar setup.

Monitoring Cisco Secure PIX Firewall Using SNMP and Syslog Through VPN
Tunnel
http://www.cisco.com/en/US/
/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094469.sht ml

Thanks for the replies. So far I have been unable to make it work. It
works if I let the traffic go unencrypted between the remote PIX and
the AAA server but as soon as the I add the respective source and
destination IPs in my access list to be protected by the crypto map it
quits working.

Will have to do some sniffing and troubleshooting to see what I'm doing
wrong.

Thanks,

Shahid

Have you tried with:
management-access inside ?
Bye,
Max.

try using the capture command on the PIX closest to the AAA server to
capture the AAA packets.

You can set up and access list to go along with the capture command so
that the capture can be restricted to just the AAA packets