«

Good afternoon all. I am having a problem getting a L2L setup going
with a PIX 515 and a 3005 Concentrator.

Now, the VPN tunnel itself is not a problem...that is up and working
fine. The problem (I think) lies in the fact that the Concentrator is
not the default gateway on that side of the LAN. There is a PIX 506 in
the mix here, which that subnet uses as it's gateway.

So, for example, here is an overview of the setup:

LAN 1: 192.168.1.0/24
PIX 506 (the gateway) is: 192.168.1.254
VPN 3005 is: 192.168.1.246


LAN 2:
PIX 515 (gateway/VPN endpoint): 192.168.200.0/24


The tunnel is up and established...no problems. In the 506 PIX, I have
a route statement:

route inside 192.168.200.0 255.255.255.0 192.168.1.246 1

From that 506 PIX, I can ping PC's on the .200 subnet.

While on the .1 subnet, if I statically assign my laptop and set the
concentrator as my gateway (192.168.1.246), I can get to the .200 subnet
(remote desktop, telnet, file shares, etc)...which shows that the tunnel
is working as expected

I was thinking this may be solved by adding the NAT traversal command to
the 506 PIX, but that didn't change anything.

I realize this may be easier to do with the PIX 506 that is the gateway
of the .1 network, but that is not possible, as it does not have a
"true" outside interface. Outside in this case is 192.168.2.x as there
is a load balancer for multiple internet connections on that side.

I thought one of the main selling points of a Concentrator was that it
can be "dropped" into an existing network to do VPN, either remote or
site-to-site, no?

One caveat: I am also using the 3005 for the Cisco VPN client remote
access, which is working great, but will this mess with the L2L?

Please let me know if you need any more information to assist on this.

Thanks,

Mike

On Feb 12, 5:52 pm, "Mike W." <nos...@nospam.com> wrote:
> Good afternoon all. I am having a problem getting a L2L setup going
> with a PIX 515 and a 3005 Concentrator.
>
> Now, the VPN tunnel itself is not a problem...that is up and working
> fine. The problem (I think) lies in the fact that the Concentrator is
> not the default gateway on that side of the LAN. There is a PIX 506 in
> the mix here, which that subnet uses as it's gateway.
>
> So, for example, here is an overview of the setup:
>
> LAN 1: 192.168.1.0/24
> PIX 506 (the gateway) is: 192.168.1.254
> VPN 3005 is: 192.168.1.246
>
> LAN 2:
> PIX 515 (gateway/VPN endpoint): 192.168.200.0/24
>
> The tunnel is up and established...no problems. In the 506 PIX, I have
> a route statement:
>
> route inside 192.168.200.0 255.255.255.0 192.168.1.246 1
>
> From that 506 PIX, I can ping PC's on the .200 subnet.
>
> While on the .1 subnet, if I statically assign my laptop and set the
> concentrator as my gateway (192.168.1.246), I can get to the .200 subnet
> (remote desktop, telnet, file shares, etc)...which shows that the tunnel
> is working as expected
>
> I was thinking this may be solved by adding the NAT traversal command to
> the 506 PIX, but that didn't change anything.
>
> I realize this may be easier to do with the PIX 506 that is the gateway
> of the .1 network, but that is not possible, as it does not have a
> "true" outside interface. Outside in this case is 192.168.2.x as there
> is a load balancer for multiple internet connections on that side.
>
> I thought one of the main selling points of a Concentrator was that it
> can be "dropped" into an existing network to do VPN, either remote or
> site-to-site, no?
>
> One caveat: I am also using the 3005 for the Cisco VPN client remote
> access, which is working great, but will this mess with the L2L?
>
> Please let me know if you need any more information to assist on this.
>
> Thanks,
>
> Mike

PIX wont do 1 armed routing like a router will. Traffic entering the
Inside interface will not be sent back out the interface. Basically
this is a router function and PIX isn't a router.