I have the following configuration: LAN1 - FW - WAN - Cisco (DSL) - FW - LAN2 Ik want to create a VPN between LAN1 and LAN2. I like to use the both Firewalls (FW) to terminate the VPN. But it seems like the Cisco DSL router is not forwarding the IPSEC packets. What are the commando's for the Cisco to forward all IPSEC packets? I just want to use the Cisco as DSL router with no filtering at all. I will use the Firewalls for filtering and access rules. Here is my current config: ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname xxxx ! boot-start-marker boot-end-marker ! no logging buffered enable secret 5 $1$blablabla ! aaa new-model ! ! aaa authentication login userauthen local aaa authorization network groupauthor local ! aaa session-id common ! resource policy ! ip subnet-zero ! ! no ip dhcp use vrf connected ip dhcp excluded-address 10.0.0.138 ! ip dhcp pool CLIENT import all network 10.0.0.0 255.255.255.0 default-router 10.0.0.138 lease 0 2 ! ! ip cef ip inspect name myfw cuseeme timeout 3600 ip inspect name myfw ftp timeout 3600 ip inspect name myfw rcmd timeout 3600 ip inspect name myfw realaudio timeout 3600 ip inspect name myfw smtp timeout 3600 ip inspect name myfw tftp timeout 30 ip inspect name myfw udp timeout 15 ip inspect name myfw tcp timeout 3600 ip inspect name myfw h323 timeout 3600 no ip ips deny-action ips-interface ! ! crypto pki trustpoint TP-self-signed-1960537530 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-1960537530 revocation-check none rsakeypair TP-self-signed-1960537530 ! ! username xxxx privilege 15 secret 5 $1$blablabla/ username yyyy secret 5 $bla1bla1bla1/ username zzzz secret 5 $1$bla2bla2bla2/ username qqqq privilege 15 password 0 $1$bla3bla3bla3 username pppp privilege 15 password 0 $1$bla4bla4bla4 ! ! ! crypto isakmp policy 3 encr 3des authentication pre-share group 2 ! crypto isakmp client configuration group vpnconnect key bbbbbbbbb domain cisco.com pool ippool2 acl 121 ! ! crypto ipsec transform-set myset esp-3des esp-sha-hmac ! crypto dynamic-map dynmap 10 set transform-set myset ! ! crypto map clientmap client authentication list userauthen crypto map clientmap isakmp authorization list groupauthor crypto map clientmap client configuration address respond crypto map clientmap 1 ipsec-isakmp dynamic dynmap ! ! ! interface Ethernet0 ip address 10.0.0.138 255.255.255.0 ip nat inside ip virtual-reassembly no ip mroute-cache ! interface Ethernet2 no ip address shutdown ! interface BRI0 no ip address shutdown isdn point-to-point-setup ! interface ATM0 no ip address no ip mroute-cache atm vc-per-vp 64 no atm ilmi-keepalive dsl operating-mode etsi pvc 8/48 oam-pvc 0 encapsulation aal5mux ppp dialer dialer pool-member 1 ! ! interface FastEthernet1 duplex auto speed auto ! interface FastEthernet2 duplex auto speed auto ! interface FastEthernet3 duplex auto speed auto ! interface FastEthernet4 duplex auto speed auto ! interface Virtual-Template2 no ip address ! interface Dialer1 ip address negotiated ip nat outside ip inspect myfw out ip virtual-reassembly encapsulation ppp dialer pool 1 dialer-group 1 ppp authentication chap pap callin ppp chap hostname blabla@xs4all.nl ppp chap password 0 secretblabla ppp pap sent-username blabla@xs4all.nl password 0 secretblabla ppp ipcp dns request ppp ipcp wins request crypto map clientmap hold-queue 224 in ! ip local pool ippool 10.0.0.1 10.0.0.99 ip local pool ippool2 10.0.1.1 10.0.1.99 ip classless ip route 0.0.0.0 0.0.0.0 Dialer1 ip route 10.0.0.0 255.255.255.0 Ethernet0 ! ip http server no ip http secure-server ! ip nat inside source list 125 interface Dialer1 overload ip nat inside source static esp 10.0.0.150 interface Dialer1 ip nat inside source static 10.0.0.150 interface Dialer1 ! access-list 1 permit 10.0.0.0 0.0.0.255 access-list 121 permit ip 10.0.0.0 0.0.0.255 10.0.1.0 0.0.0.255 access-list 125 deny ip 10.0.0.0 0.0.0.255 10.0.1.0 0.0.0.255 access-list 125 permit ip 10.0.0.0 0.0.0.255 any dialer-list 1 protocol ip permit ! ! control-plane ! ! line con 0 no modem enable line aux 0 line vty 0 4 access-class 23 in exec-timeout 120 0 length 0 ! scheduler max-task-time 5000 ! end