Good morning all. I am having a problem getting a L2L setup going with a PIX 515 and a 3005 Concentrator.
Now, the VPN tunnel itself is not a problem...that is up and working fine. The problem (I think) lies in the fact that the Concentrator is not the default gateway on that side of the LAN. There is a PIX 506 in the mix here, which that subnet uses as it's gateway.
So, for example, here is an overview of the setup:
LAN 1: 192.168.1.0/24
PIX 506 (the gateway) is: 192.168.1.254
VPN 3005 is: 192.168.1.246
LAN 2: 192.168.200.0/24
PIX 515 (gateway/VPN endpoint): 192.168.200.254
The tunnel is up and established...no problems. In the 506 PIX, I have a route statement:
route inside 192.168.200.0 255.255.255.0 192.168.1.246 1
From that 506 PIX, I can ping PC's on the .200 subnet.
While on the .1 subnet, if I statically assign my laptop and set the concentrator as my gateway (192.168.1.246), I can get to the .200 subnet (remote desktop, telnet, file shares, etc)...which shows that the tunnel is working as expected
I was thinking this may be solved by adding the NAT traversal command to the 506 PIX, but that didn't change anything.
I realize this may be easier to do with the PIX 506 that is the gateway of the .1 network, but that is not possible, as it does not have a "true" outside interface. Outside in this case is 192.168.2.x as there is a load balancer for multiple internet connections on that side.
I thought one of the main selling points of a Concentrator was that it can be "dropped" into an existing network to do VPN, either remote or site-to-site, no?
One caveat: I am also using the 3005 for the Cisco VPN client remote access, which is working great, but will this mess with the L2L?
Please let me know if you need any more information to assist on this.