Hi,

From the conversation title you can see I'm interested in the mystery 3rd interface on the 3020. The reason why I ask is specific however: I want to allow VPN client connections to the 3020 to go down other L2L connections configured on the same 3020.

I have found a way to do this but I consider it a cludge. For anyone who is interested I created a NAT rule so that an IP from the client pool wanting to access the remote networks (defined in the L2L configs) would be PATed to an address that was itself included in the local networks (again defined in the L2L configs). That way the VPN client's packet would hit the concentrator, be decrypted, hit the NAT rule, see that the packet was now src and dest matched to an IPSec SA and go back out the appropriate L2L tunnel.

Now this is all well and good .... BUT: I would really like to bring our Pix FW into this i.e. have the traffic pass through and be processed by the firewall before it went back out a L2L tunnel. As you probably know PIX 6.3 does not like to send traffic back out the same interface it came in on ... which leads to my question re: the mystery 3rd interface.

However there are of course going to be routing issues ... or are there? Does the concentrator regard an IPSec SA match higher than a route? there is an attached gif that shows the bacic topology of is issue.

If pool address 1.1.1.1 wants to get to Remote Office at 2.2.2.2 and I have a route on the concentrator sending traffic destined for 2.2.2.2 out Eth 3 and into a spare Pix interface, then the pix has a route sending 2.2.2.2 to Private interface Eth 1 on the concentrator will I have a loop or will the IPSec SA match (local 1.1.1.1; remote 2.2.2.2) step in and encrypt the traffic and shove it down the L2L tunnel?

If no what else is the third interface for? And is there another way to achieve my wish of having 1.1.1.1 traffic going through the pix before it goes back to the concentrator for L2L tunneling.

Any help greatly appreciated,

Mike