I can terminate on the PIX however I have two reasons not to. The PIX version 6.3 does not allow VPN's to send traffic to the outside of the interface without traversing the pix. Meaning I can't from VPN site 1, go to VPN site 2 unless the packet travels from the outside interface to the inside interface and back out again. This doesn't work for Voice calls since what happens in a Call Manager call, the call manager sets up the call then steps out and tells the two IP Phones, you talk to each other, I don't need to be involved anymore. At this point since the two VPN's are outside the PIX, the voice packet is no longer going from the outside to the inside of the pix, you lose the phone conversation. It's pretty funny when you hear the phone ring at two sites connected with a VPN but when you pick up there's complete silence which is exactly what happens in that scenario. Now if you had a site-to-site vpn going at that point between spoke 1 and spoke 2 I suppose the voice conversation will keep going and that may be an alternative. This little problem doesn't affect the IOS Router VPN's that I'm aware of. Also with PIX Version 7 I hear this type of VPN will be supported.

I do not believe you can classify voice packets on the PIX as you can with the router, which means before that voice call hits the VPN backup I can classify the traffic and prioritize it out the local interface, of course when it hits the internet it doesn't mean anything anymore. Also I think the IOS VPN has a pre-classify option which allows you to classify before it gets encrypted. I didn't read all the way through that technote yet.

Thanks for your reply, I would've been done already if I could terminate it on the dang PIX!!!

I have a second interface on the router that is unused, I was thinking something along the lines of terminating my VPN's to that interface and plugging that behind the firewall, but then I lose the functionality of the PIX.

I would suggest an additional router inside the network

internal--router--pix--router--internet

and terminate your vpns on the internal router. This way you have the security of the pix and the VPN functionality you need. terminating the VPN externally will require too many open ports and greatly complicate the configuration.

just permit esp and isakmp as you already have in your access-list.

Thanks again for the reply. We are probably going to change the design a bit by brining in a VPN concentrator. Still working out some kinks though. We want to run EIGRP and the only way we could do this is with GRE tunnels. But since we're probably going to terminate the GRE Tunnel behind the Concentrator I was looking for a way to allow the GRE tunnel through the concentrator. We'll basically terminate IPSEC traffic at the Concentrator and then extend the GRE Tunnel inside. At least that's how I'm understanding it at this point.

I think I answered my own question. If the IPSEC tunnel comes up correctly between the concentrator and the IOS based vpn's then technically I'm inside the trusted network and can run my GRE Tunnel or whatever traffic I want across it. I think that makes sense at that point. Thanks again for the replies.