Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
310
Views
0
Helpful
3
Replies

LAN-to-LAN VPN with PIX501 to VPN3030 Concentrator

hbaumbach
Level 1
Level 1

‎02-19-2004 11:32 PM - edited ‎02-21-2020 01:02 PM

Hi, i am trying to set up a LAN-to-LAN VPN connection between a PIX501 and a VPN3030 concentrator. The PIX can connect using a preshared-key and the concentratot recognises it as a definded LAN-to-LAN connection. From the PIX i can ping the public interface of the concentrator. PIX also connects to internet through PPPoE. This only works if on the concentrator the LAN-to-LAN conenction is configured for routing with network auto discovery on both ends. As soon as I use a wildcard mask or a predefined network from the networks list, the tunnel doesnt get up anymore. Using the working config on the PIX with Network auto discovery on the concentraor I am not able to ping the private interface of the concentrator. When using Reverse Router Injection in the LAN-to-LAN setup the concentrator has the remote network behind the PIX in its routing table, but when thew PIX tries to establish the VPN connection I always get a QM FSM error in the concentrator event log and the tunnel doesnt go up, because of some missing SA for src:0.0.0.0 and dest:0.0.0.0 . Right after setting the LAN-to-LAN connection back to network auto discovery the tunnel comes up again, but the concentrator doesnt know of the network behind the PIX. I already took a look at the samples at the Cisco VPN3000 site, but i cant get this working. Maybe someone of you can help me with this.

Labels:
0 Helpful
3 Replies 3

murabi
Level 4
Level 4

‎02-25-2004 01:00 PM

Try upgrading the concentrator to the latest version.

0 Helpful

learnsomething
Level 1
Level 1

‎06-16-2004 11:58 AM

Did you get this working? I am having the exact same problem.

0 Helpful

steven.wilson
Level 1
Level 1
In response to learnsomething

‎06-18-2004 06:42 AM

The biggest problem with a VPN3000 is routing. The routing table is not used to find the longest match for an IP address, it basically uses it similar to an access-list. It sends the packets down the first route that matches. If the network behind the PIX is a subset of a larger network that is also listed in the table the packets will probably go there instead. When I have built hub and spoke networks i have used network lists that are VERY specific for each spoke. This way the tunnels come up and trafic goes down the right one.

Cheers

Steve.

0 Helpful
Customers Also Viewed These Support Documents