Problem with Lan-2-Lan setup

Discussion in 'Cisco' started by Mike W., Feb 12, 2007.

  1. Mike W.

    Mike W. Guest

    Good afternoon all. I am having a problem getting a L2L setup going
    with a PIX 515 and a 3005 Concentrator.

    Now, the VPN tunnel itself is not a problem...that is up and working
    fine. The problem (I think) lies in the fact that the Concentrator is
    not the default gateway on that side of the LAN. There is a PIX 506 in
    the mix here, which that subnet uses as it's gateway.

    So, for example, here is an overview of the setup:

    LAN 1:
    PIX 506 (the gateway) is:
    VPN 3005 is:

    LAN 2:
    PIX 515 (gateway/VPN endpoint):

    The tunnel is up and problems. In the 506 PIX, I have
    a route statement:

    route inside 1

    From that 506 PIX, I can ping PC's on the .200 subnet.

    While on the .1 subnet, if I statically assign my laptop and set the
    concentrator as my gateway (, I can get to the .200 subnet
    (remote desktop, telnet, file shares, etc)...which shows that the tunnel
    is working as expected

    I was thinking this may be solved by adding the NAT traversal command to
    the 506 PIX, but that didn't change anything.

    I realize this may be easier to do with the PIX 506 that is the gateway
    of the .1 network, but that is not possible, as it does not have a
    "true" outside interface. Outside in this case is 192.168.2.x as there
    is a load balancer for multiple internet connections on that side.

    I thought one of the main selling points of a Concentrator was that it
    can be "dropped" into an existing network to do VPN, either remote or
    site-to-site, no?

    One caveat: I am also using the 3005 for the Cisco VPN client remote
    access, which is working great, but will this mess with the L2L?

    Please let me know if you need any more information to assist on this.


    Mike W., Feb 12, 2007
    1. Advertisements

  2. Mike W.

    Timo Guest

    PIX wont do 1 armed routing like a router will. Traffic entering the
    Inside interface will not be sent back out the interface. Basically
    this is a router function and PIX isn't a router.
    Timo, Feb 14, 2007
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.