How to merger MPLS VPN to IPSec VPN

Unanswered Question
Nov 28th, 2008

My question is how to merge a new site which is MPLS VPN into existing WAN of 30 sites that are all linked with PIX IPSec tunnels.

This new SiteC needs to use an application server on SiteB and get to a mail server on SiteA. Internet traffic initiated from new SiteC needs to go via SiteB PIX.

Please see attached document.


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Giuseppe Larosa Fri, 11/28/2008 - 13:12

hello Gari,

you need to modify the IPsec configuration between sitea and siteb so that also traffic coming from siteC's ip subnets will be encrypted.

You need to modify some ACLs keeping their mirrored structure.

You may need to modify other ACLs applied to interfaces on routers and PIXs as needed.

Some static routes will be added too for the siteC's subnets to make them known on site A and site B devices.

siteB exit point to siteC is the router with next-hop

Depending on the type of interaction with the MPLS VPN service provider you need also to advertise from siteB's CE all the siteA and siteB ip subnets of interest: the SP will propagate this info to siteC as needed (of just a default route can be enough)

Hope to help


garilynni Tue, 12/02/2008 - 07:13

Hi Giuseppe,

Thank you for your reply but I am still unsure where to begin. Can you provide some examples of the lines to add and/or modify in the SiteA PIX and SiteB PIX. Below is the current lines for the links between SiteA and SiteB. I added line in SiteB PIX but not sure if you can have two different internal IP subnets using sameGlobal IP address? Also SiteB host are currently set for default gateway which is the e1 interface on the PIX, would I need to install an internal router for the default gateway and assign the e1 interface to and change the e1 interface to something for example then add static routes?

ip route [to traffic to SiteB Pix]

ip route [to route traffic going Site C via CE router]

Can you explain more or give example what you said about the advertising from SiteB's CE the subnets for SiteA & SiteB What would be clear explanation to ISP to set this up in their CE route as they manage both CE's or is there another way without having to deal with ISP?

[ SiteA PIX]

access-list NoNat permit ip

access-list SiteB permit ip

crypto map MyIPSECVPN 35 ipsec-isakmp

crypto map MyIPSECVPN 35 match address SiteB

crypto map MyIPSECVPN 35 set peer

crypto map MyIPSECVPN 35 set transform-set strong

isakmp key ******** address netmask

[ SiteB PIX]

access-list NoNat permit ip

access-list SiteA permit ip

crypto map MyIPSECVPN 9 ipsec-isakmp

crypto map MyIPSECVPN 9 match address SiteA

crypto map MyIPSECVPN 9 set peer

crypto map MyIPSECVPN 9 set transform-set strong

isakmp key ******** address netmask

[ add to SiteB PIX - traffic coming from SiteC ip subnet will be encrypted.

going to SiteA]

access-list NoNat permit ip

access-list SiteA permit ip

crypto map MyIPSECVPN 10 ipsec-isakmp

crypto map MyIPSECVPN 10 match address SiteA

crypto map MyIPSECVPN 10 set peer

crypto map MyIPSECVPN 10 set transform-set strong

isakmp key ******** address netmask

[ add to SiteB PIX - route traffic going to SiteC]

Route inside

Giuseppe Larosa Wed, 12/03/2008 - 12:06

Hello Gary,

I'm not an expert of PIX configuration, however some concepts are independent of the type of device you use.

You have this scenario

SiteA --- IPseC/internet --- SiteB __ SiteB_CE ++++ MPLS ++++ SiteC_CE


from the point of view of SiteA it looks like as SiteB has added some IP subnets, just equivalent as one or more new Vlans and their IP subnets have been added at siteB

the new network is SiteC LAN segment

so now you need to permit ipsec traffic between

siteA to siteB

siteA to siteC

you should add

access-list NoNat permit ip

access-list SiteB permit ip

B) site B

double role

B.1 ipsec

from ipsec point of view a new ip subnet has been added to site B

this part is already clear to you as you stated you add a line to each ACL.

B.2 routing PIX to SiteB_CE


Route inside

B.3 site B CE routing

you can point directly to SiteB pix inside using as next-hop they are in the same IP subnet no need for other device or ip address


ip route

then depending on the type of service

I suppose you got a L3 VPN service with CE managed by ISP

let's suppose they use BGP

router bgp 650xx

neigh PE_B remote-as isp-AS-number



no auto-summary

no sync



site C

just BGP

router bgp 650xx

neigh PE_C remote-as isp-AS-number


no auto-summary

no sync


This is just an example.

Ask to ISP people to have the subnets of interest advertised over the MPLS VPN.

This has to be done on CE routers I don't see any other way.

Hope to help


garilynni Fri, 03/06/2009 - 15:25

Hello Giuseppe,

I had to put this issue on hold for awhile and now getting back on it. I wanted to give you an update on my progress from the last instructions you gave me. I had to put an internal router at SITE-B because adding the line in SITE-B Pix (route inside still had unsuccessful results when pinging from pc on the subnet. It did work if pinging from the PIX because I guess the traffic was originating from the PIX and it routed to the 3com router at SITE-B and then on to the 3com router at SITE-C.

On SITE-B Pix I changed the inside interface to which was and added following line to route to internal LAN router.

route inside 1

What I have now on the internal LAN router is the following

ip route

ip route

I now can ping SITE-C from SITE-B and was able to RDP remote connect to PC at SITE-C and ping successful back to SITE-B.

Other items yet to be worked out:

1. From SITE-A to be able to ping SITE-C

2. From SITE-C to be able to get to internet using SITE-B as the internet gateway.

3. From SITE-C to be able to get to SITE-A mailserver.

ISP has finally added static route in the SITE-B CE router which I wasn't sure to use SITE-B internal router or the PIX I can't test this until a PC gets hooked back to the SITE-C CE router hopefully next week. I was able to get partial configurations from ISP on both 3Com routers model 5012 please see attached.

I think you instructed to also add to the SITE-B CE router a static route which at that time was the inside interface of the SITE-B PIX but is now the SITE-B internal LAN router. So I just had them add in a static route

(Continued on next Post)

garilynni Fri, 03/06/2009 - 15:26

(Continued from previous post)

Can you clearify again on your last comment “have subnet of interest advertized over the MPLS VPN. I ask this because SITE-C and SITE-B will be the only locations on the cloud. I know this sounds strange.Below are the current lines on the tunnel in SITE-A PIX

access-list NoNat permit ip

access-list SITE-B permit ip

crypto map MyIPSECVPN 35 ipsec-isakmp

crypto map MyIPSECVPN 35 match address SITE-B

crypto map MyIPSECVPN 35 set peer

crypto map MyIPSECVPN 35 set transform-set strong

isakmp key ******** address netmask (I assume this would apply to the second set of crypto lines for the second tunnel since both tunnels would use same public IP address)

Because I already have above lines for origional tunnel going to SITE-B when I attempt to enter the access-list lines below for new subnet I get error "ACE not added. Possible duplicate entry

access-list NoNat permit ip (this goes in fine)

access-list SITE-B permit ip (this one I get error)

Then I tried with unsuccessful results using below lines but tunnel doesn't come up. I don't understand how this could work because the original tunnel is built using a public ip address associated to subnet on SITE-B PIX and I'm attempting to try to get a second tunnel going between both PIXs for the traffic.

access-list NoNat permit ip

access-list SITE-BB permit ip

crypto map MyIPSECVPN 36 ipsec-isakmp

crypto map MyIPSECVPN 36 match address SITE-BB

crypto map MyIPSECVPN 36 set peer

crypto map MyIPSECVPN 36 set transform-set strong

I have been unsuccessful trying to ping SITE-C from either the router itself or a client after adding these lines and when I do a sh cry ipsec sa I don't see a tunnel for This has been the most difficult to understand. Another way to look at this is I have 2 LANs now that I'm want to both go out the one external interface. I have heard of a method but not sure if this would fit my situation where the PIX can be configured with nat/global pairs or statics or nat 0's between the inside and outside interface. If this is something you are familiar this may be the way to do it…..possibly?

I have attached an updated drawing. Thank you so far for the help and I hope you or someone else on your team has seen this scenario before who can offer any assistance.Thanks again

garilynni Sun, 03/22/2009 - 07:05

Can anyone tell me if what I am trying to do is possible or can recommend another solution?

Giuseppe Larosa Sun, 03/22/2009 - 23:10

Hello Gari,


I've missed your follow-up on this interesting issue.

I have to read carefully your last updates.

In any case:

you don't need to build a second IPsec tunnel between siteA and siteB

A single tunnel for both LANs is what is needed

it is possible that some static or nat commands are needed on the pix.

The suggestion is to look at the current working configuration.

What commands are on siteA pix for net ?

Whatever commands are present in addition to static routes need to be replicated for net

Note: I try to see at siteA pix config if present in first posts


I see that the complete config of pix of siteA is not reported however the way to go is the one described above:


sh run | inc to see all occurrences of this string in the pix config

copy everything to a text editor.

create equivalent lines for


The ACL issue is odd it should accept additional lines (there are some execeptions for routers when isakmp is not used) but in some specific case the ACL is to be single-line.

if there is a limitation of a single line ACL you can overcome this by using a larger mask.

you can try to match with

Adapt this on siteB mirror ACL as needed.

Hope to help


Mohamed Sobair Sun, 03/22/2009 - 23:24


On Site's A Pix, you should allow access to the mail server from the outside on ports 25,110.

You will also need to creat VPN client with easy VPN and configure "Split tunneling" from routers on Site's C toward Site B Pix. The Spilit Tunneling config would allow the VPN client to gain access to the internet through the same incoming interface for the VPN connection.




This Discussion