IPsec VPN with 2 PIX firewalls and 1 2600 router

Unanswered Question
Mar 24th, 2007

Does anyone know if it's possible to setup a full mesh VPN topology when using 2 Cisco PIX firewalls and 1 Cisco 2600 router. I have no issues at all getting the VPN up between the PIX firewalls and 1 tunnel up between the router and PIX. The problem i am having is when trying to get the second tunnel from the router to the second PIX up and running.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jon Marshall Sun, 03/25/2007 - 01:35


All the devices you mention can do multiple tunnels so there should not be an issue with creating a full mesh between them.

Suspect it may be a configuration issue ? Perhaps you could post the configs.


bhansen70 Sun, 03/25/2007 - 08:47

Here is the Configs i have right now. The PIX VPN is working just fine so i think there is something missing on the Router side of the VPN to the 2 PIX firewalls.


Jon Marshall Mon, 03/26/2007 - 01:43


Which VPN tunnel is not working ?

In your router config it is a bit confusing as access-list 101 refers to which matches all your other configs on the pix firewalls.

Access-list 102 however references 192.168.3.x. Unless this is a typo this would mean that this traffic would get natted and hence would not initiate a VPN tunnel ie.

Pix1 thinks traffic should be coming from However because your access-list 102 is referencing 192.168.3.x/24 then the 192.168.31.x traffic from your 2600 will get natted and hence will not match at the pix end.

Does this make sense ??


bhansen70 Mon, 03/26/2007 - 20:41

Yes that did make some sense. I was able to get the tunnels all up and working in the mesh configuration by just rebuilding ACL 101 to deny the other 2 remote offices to bypass NAT.

access-list 101 deny ip

access-list 101 deny ip

access-list 101 deny ip

access-list 101 permit ip any

Then i just used my nonat policy to match ip address 101

Once i did that everything came up just fine and working great now.

Thanks for your input it was good information.


This Discussion