Core issue

In some LAN-to-LAN scenarios, you may have a router behind the Cisco VPN Concentrator that is used to aggregate traffic from multiple networks. In such scenarios, routing issues can cause traffic not to reach end devices.

Resolution

Refer to this scenario:

                                                                 , - 10.1.1.0    /24
192.168.1.0/24 -- PIX ---- Internet ---- Concentrator - Router --, - 172.16.1.0  /24
                                                                 , - 192.168.2.0 /24

From this diagram, a LAN-to-LAN tunnel is configured between the PIX Firewall and the VPN Concentrator.

For more information on how to configure LAN-to-LAN tunnels between a VPN Concentrator and a PIX, refer to Configuring the Cisco VPN 3000 Concentrator to the PIX Firewall.

In addition to the normal LAN-to-LAN configuration, configure static routes on the VPN Concentrator for each internal network. For example, 10.1.1.0/24, 172.16.1.0/24 and 192.168.2.0/24. To avoid configuring individual routes on the VPN Concentrator, configure the tunnel default gateway as the router IP address. Then all the encrypted packets through the LAN-to-LAN tunnel are forwarded to the internal router. If the tunnel default gateway is not configured, three static statements need to be configured on the VPN Concentrator for the correct routing.

To configure a default tunnel gateway on the VPN Concentrator, go to Configuration > System > IP Routing > Default Gateways.

For more information, refer to Configuring the Cisco VPN 3000 Concentrator to a Cisco Router.