Hi Arul,

1. Yes it is configured for LAN-to-LAN.

2. default route is set 0.0.0.0 -->66.13.xxx.xxx(default gateway)

3. Under t IPsec , LAN-to-LAN menu on the concentrator, I defined IP Add/Wildcard-mask for both local and remote networks. no other tunnels are created yet, the concentrator is currently accepting remote access.

cym

Hi,

If possible can you post the IPAdd/WildCard-Mask from the VPN3000 for the lan to lan tunnel and what is the range of ip addresses that you are assigning to the clients.

And when you tried to ping from a host behind the VPN3000 to a host behind the Pix, what was your source and destination ip addresses.

Does the Host behind the VPN3000 know where to send the packets for a host behind the Pix. And if you have an internal router, what is its default gateway and does it have a route for 192.168.xxx.xxx pointing to the VPN3000.

Regards,

Arul

Hi,

I have a DCHP Pool for my Remote Access clients starting at 10.11.1.x - 10.11.1.xx 255.255.0.0

Wildcard mask add for my LAN-to-LAN

Local Network --> 10.11.0.0/0.0.255.255

Remote Network --> 192.168.1.0/0.255.255.255

I dont have a router but I have a pix 515e that is connected in parallel to my concentrator, (this was how our consultant set up the appliance), I didnt have problems for clients connecting via remote access......anyway, this is how it looks like.

pix 515e - 10.11.xxx.x --->66.13.xxx.xxx

concentrator - 10.11.xxx.y --->66.13.xxx.xxy

default gateway ---> 66.13.xxx.xxz

on the concentrator, default tunnel gateway points to pix515e local and default gateway -->66.13.xxx.xxz

I dont have a router on my pix506e network either, its directly connected to the DSL modem.

does my pix 515e has something to do with this? Do I need to add a route 192.168.xxx.xxx on my pix 515e? but tunnel should be between 3005 & 506e, right?

can ping 3005 inside address from host on pix506e, but that's just it.. cant ping any other ip's on 10.11.xxx.xx network, or cant ping back.

Thanks for any advise.

cym

Hi,

Your Remote network should be:

192.168.1.0/0.0.0.255

Regards,

Arul

I stand corrected,. thank you, but still doesnt work. once thing I realized though, when I changed degault gatewy of host A to 3005's IP, i was able to ping Host B, but cant access internet if I do that, besides, everything should go thru my 515.. how would I be able to pass traffic from concentrator to 515.. do I need to enable RIP on both so that 506 networks would be able to traverse network? any other idea?

Thanks again.

cym

I've spent a lot of time with a similar issue, but the difference being I can access internet and end tunnel nodes. You could have the option Split Tunneling Policy (located under Configuration>Groups>YOURGROUP) configured for 'Tunnel Everything' without the 'Allow the networks in the list to bypass the tunnel' option enabled. Using that option all your data packets will be transmitted down the tunnel. I would recommend setting that to 'only tunnel networks in list'. Doing that you'll have to create a Network List under Configuration>Policy Management>Network Lists that includes your local networks.

I use a "router on a stick" setup. Dusted off some old Cisco router that I found in a closet one day, and setup the router to send all 0.0.0.0 to the PIX and all remote VPN site traffic to the concentrator. I then setup all of my workstations to use the Cisco router as the default gateway. No problems with throughput so far since it is using ICMP redirects and not processing every single packet that's going off site.

A server of some sort would work just as well as my Cisco router, just as long as it keeps the routes after a reboot and can send ICMP redirects.

Anyways, my 2 cents.