Showing results for 
Search instead for 
Did you mean: 


CVPN3000 with PIX 501 at Remote sites. Can VPN3K route between remotes?

I have a VPN3000 (ver 3.5) at the hub site with PIX 501's deployed remotely. Remote sites can ping the hub site but not another remote site. I have enabled RRI (but not RIP or OSPF) on the VPN3000 and see the routes in the routing table.

Pings timeout though. Any suggestions (since there is virtually no documentation about this).


Cisco Employee

You can route traffic back out to the spoke sites if you have a VPN3000 at the hub, but you have to make sure you tell the 3000 to specifically do this by adding the remote networks into the LAN-to-LAN configuration for each spoke. Because you can only specify one network as a remote network in the LAN-to-LAN config section, you have to create a Network List for each one and use that instead.

For example, let's say you have the following:

NetA --- PIX501A -------------VPN3000 ------------- PIX501B -----NetB




And you want to route from NetA to NetB, via the VPN3000, but also get to NetC behind the VPN3000 from each site.

On PIX501A you'd have to lines in it's crypto ACL as follows:

- permit ip NetA NetB

- permit ip NetA NetC

On PIX501B you'd have the following:

- permit ip NetB NetA

- permit ip NetB NetC

Now, on the VPN3000 you have two LAN-to-LAN tunnels setup, one to each PIX. Create two Network Lists (under Config - Policy Mgmt - Traffic Mgmt - Network Lists) as follows:

List ToPIX501A includes NetB and NetC

List ToPIX501B includes NetA and NetC

then under the LAN-to-LAN config for the tunnel to PIX501A, make the Local Network the list ToPIX501A and the remote network NetA.

Under the LAN-to-LAN connection for PIX501B, make the Local Network the ToPIX501B list and the Remote Network NetB

You also have to make sure that the routing table on the VPN3000 has entries for NetA and NetB and they point out the Public interface to the default gateway of the device.


My diagram didn't come out correctly in my previous email. NetC is supposed to be connected to the VPN3000, not connected off NetA.

I see, its similar to what has to be done if your hub is a PIX. One question though, if I remember correctly each line of the crypto ACL is used to create an security association. Right now each 501 has two tunnels, one for the remote LAN on the inside interface and one to the outside interface for remote management. I think the 501 only allows 5 tunnels total so it looks like I can have 4 remote sites total. Is this right?

Also one last thing to throw out. My nub site is 172.20.x.x /16 the remote sites are 172.21.1.x /24, 172.21.2.x /24, 172.21.3.x /24, etc, etc. If we go by your example above can my list ToPIX501A be something like <---- for the hub site LAN <---- for all remote sites

The PIX 501A would have

access-list VPN_Traf permit ip

access-list VPN_Traf permit ip

Think this is possible? If not it looks like this is not scalable.

Thanks for you insight on this.

Sorry for the delay in responding, I missed your 2nd message.

The 501 can have 5 PEERS, not tunnels, and in this scenario you'll only have one peer so you should be fine.

As for your ACL's, yes, that'll work, and is actually the preferred methos cause as you said, it's not scalable if you have to add each one in indivdually. Your lucky (or smart) that your design has all the 501 networks in the same network enabling you to do this.


Just a comment regarding PIX being the HUB. PIX will not route traffic between the spokes. Hub&Spoke VPN design with PIX in the Central is not usable.



Content for Community-Ad