Showing results for 
Search instead for 
Did you mean: 

VPN Routing Issue

Level 1
Level 1

Got a good one for you guys. This is a routing issue to network without routers.

I have a remote site that connects through a pix 501 to a cisco 3015 concentrator. (public interface of concentrator is on the dmz of a sonicwall pro vx) This works fine. The network behind the pix is The local lan behind local interface of the vpn concentrator is I can ping and connect to any resources on the 10.25.100 network.

the private network is very very very extensive from that point on and the users on the network need access to resources that are at least 5 router hops away. Running eigrp on all the routers. next hop router after is over a point to point t-1 then the router on that end has a connection to the frame relay cloud where it goes to remote sites, one of which there's a mainframe that the users behind the network need.

I need to make every other router aware of the network so that connecting to remote resources will work. in other words, pinging will send the packet all the way to the resource, but does not know how to return.

Heres what I've done which sounds like it would work in theory but have not tested yet. In the concentrator i've added the network to the ip routing/static routes section. All inbound traffic from vpn to is pointed to the router. works fine for vpn client connections becuase clients get assigned a address from a pool. Since the concentrator runs RIP, i did a router rip on the cisco router and network I am hoping that by doing this that the rest of the network will become "aware" of how to get packets back to the concentrator for the network.

The other option I am looking at is adding a static route to pointed to the lan interface of the concentrator. I'm not sure if this route will populate the routing tables as i am still a novice at eigrp routing.

3 Replies 3


giving the EIGRP router a static route to point the .99.0 network you will populate the routing table af that router, the same you do enabling rip on the concentrator and the pix.

You must asuure that all aother EIGRP routers recieve the routing information, if not so work with static routes.

I think that you should have placed the inside interface of the concentrator in the DMZ and the outside interface on the internet because doing so your firewall will be able to inspact decripted pachets.


Level 1
Level 1


Add the route as you say and use the redistribute static command on that routers eigrp config to tell it to advertise that route to the other routers in that AS.


thanks for the tip on redistribute.

i have rip v2 running on both the router and the lan interface of the concentrator and when i do a "show ip prot" i can see that these 2 devices are "ripping" with each other.

what about doing this:

router rip

version 2


redistribute eigrp 90

default-metric 2

eigrp AS is 155

admin dist is 90/170 internal/external

admin dist for rip v2 is 120