Cisco Support Community
Community Member

827 to PIX 515 VPN advice


I have an 827 ADSL router for a small SOHO LAN and a PIX 515 at the office. BellSouth is providing the DSL service, and I have a block of eight public IPs at my disposal. I currently have a functioning VPN (tunnel works, can ping both sides, pcAnywhere works, etc.) but I'm seeking expert's advice on how I can improve the setup.

Some details: BellSouth "business-class" ADSL service is provisioned so that the WAN IP is dynamic (PPPoE) but the block of eight public IPs are reachable, regardless of that dynamic WAN address. Currently, I am not using those public addresses on the LAN, instead I'm using the private block. More on that in a minute. The corporate LAN uses the block but the PIX outside interface is accessible from the Internet. The purpose of the VPN is for access to server data (W2K network) and, more importantly, for IP telephony and H.323 videoconferencing.

On the 827 side, the tunnel is terminated on the Dialer interface, which gets its IP via PPPoE. As this address is dynamic, the tunnel must be initiated from the 827 to the PIX, with the PIX accepting wildcard sources and authenticating the remote with a shared secret. I set up the 827 this way because I didn't know you could terminate IPSec tunnels anywhere else but on the WAN interface. The problem with this setup is that the tunnel will only setup if there is LAN traffic originating from the network and going to I'd like for the tunnel to be established any time that the 827 is on, so that I can remotely manage the SOHO LAN.

So here are my questions:

1. Should I terminate the tunnel on a different interface?

2. Very Important: How can I have the tunnel up any time the 827 is on?

3. Would using the public IPs help any of this to happen? How could they best be used?

4. How can I configure the 827 and PIX so that the H.323 traffic stays out of the encrypted tunnel?

5. What would an experienced engineer add to or delete from the config?

Thanks in advance!

Brit Davis


Here's the config for the 827:


version 12.2

no service pad

service timestamps debug uptime

service timestamps log uptime

service password-encryption


hostname Cisco827


no logging buffered

enable secret <omitted>


username <omitted> privilege 15 secret <omitted>

ip subnet-zero

ip domain-name <omitted>

ip dhcp excluded-address


ip dhcp pool CLIENT

import all



lease 0 2


ip ssh time-out 120

ip ssh authentication-retries 3

vpdn enable


vpdn-group pppoe


protocol pppoe

ip mtu adjust



crypto isakmp policy 1

hash md5

authentication pre-share

crypto isakmp key <omitted> address <omitted>



crypto ipsec transform-set pix-set esp-des esp-md5-hmac


crypto map pix 10 ipsec-isakmp

set peer <omitted>

set transform-set pix-set

match address 101





interface Ethernet0

ip address

ip nat inside

ip tcp adjust-mss 1452

hold-queue 100 out


interface ATM0

no ip address

atm vc-per-vp 64

no atm ilmi-keepalive


dsl operating-mode auto


interface ATM0.1 point-to-point

pvc 8/35

pppoe-client dial-pool-number 1



interface Dialer1

ip address negotiated

ip mtu 1492

ip nat outside

encapsulation ppp

no ip route-cache

ip tcp adjust-mss 1452

no ip mroute-cache

dialer pool 1

dialer remote-name <omitted>

dialer-group 1

ppp authentication chap callin

ppp chap hostname <omitted>

ppp chap password <omitted>

ppp ipcp dns request

crypto map pix


ip nat inside source route-map nonat interface Dialer1 overload

ip classless

ip route Dialer1

no ip http server

no ip pim bidir-enable



access-list 101 permit ip

access-list 105 permit ip any

access-list 110 deny ip

access-list 110 permit ip any

access-list 150 permit ip any any

dialer-list 1 protocol ip permit

route-map nonat permit 10

match ip address 110



line con 0

exec-timeout 120 0

password <omitted>


stopbits 1

line vty 0 3

exec-timeout 120 0

password <omitted>

login local

length 0

transport input telnet

line vty 4

exec-timeout 120 0

password <omitted>

login local

length 0

transport input ssh


scheduler max-task-time 5000



Cisco Employee

Re: 827 to PIX 515 VPN advice

I would use EzVPN in this scenario, and with the "connect auto" command the tunnel will always try and establish itself as long as the router is running. If you set it up in Network Extension mode then you'll still have access to the internal hosts, split tunnelling is also supported which is what you're currently doing.

You'll need 12.2(8)YJ1 on the router, and you can read how to configure it here:

It basically turns your router into a VPN client, rather than a LAN-to-LAN tunnel like you have now. The config on the head-end is also shown in this link. Use the example WITHOUT XAuth, otherwise you'll have to have someone at the remote end manually authenticate before the tunnel will come up each time.

Community Member

Re: 827 to PIX 515 VPN advice


Thanks for your reply. I'm already digging into the EzVPN documentation. Sounds like that is the best long-term solution for not just this setup, but for many others as well.

If you have a second I'd appreciate your advice about the setup if I weren't using EzVPN. I haven't been able to find much on pros/cons of tunnel termination on virtual interfaces. Also, how can I manually configure the setup to achieve the same results as the Network Extension mode of EzVPN? Lastly, is it at all possible to get that tunnel to establish itself w/o EzVPN (like maybe a RIP update to generate traffic..)?

Thanks again!


CreatePlease to create content