Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cisco VPN 3000 Concentrator - On-a-stick

Need to know if the VPN 3000 concentrator can be setup with "on-a-stick" configuration.

I know we can do this with a Cisco router using a Loopback interface. But I am not sure if the Cisco 3000 Concentrators can do the "on-a-stick" VPN.

Cisco Employee

Re: Cisco VPN 3000 Concentrator - On-a-stick

Yes it can. The only thing you have to be aware of is the default Public filter on the public interface only allows PPTP/IPSec/ESP/ISAKMP type of packets in. If you then have unencrypted packets coming in and out of this interface, as you would in an "on-a-stick" setup, you need to change the filter on this interface to the Private filter (which is any-in/any-out type of filter).

New Member

Re: Cisco VPN 3000 Concentrator - On-a-stick

Thank you for answering the question.

After I posted the question, I have found out that it can be done. I'd some theory on it (exactly what you are saying) but had never implemented one.

We tested our setup yesterday and it worked.

For other members, just to let you know how this is done....

Configure the IPSec tunnel (or other tunnels) just as if you were configuring them in a regular setup. Have only one route in the concentrator i.e. the default route, pointing out the interface you want active. Additionally, you may shut down the other interface(s) that are not being used. Then comes the trick of configuring the on-a-stick.

Create rules that define the unencrypted traffic. You have to create rule-pairs, one of each direction. For example, if you want to have HTTP traffic that came over an encrypted tunnel go out the same interface (this is the on-a-stick part), then you have to create a rule for the outbound direction w.r.t. the unencrypted traffic and one for the inbound direction (which is the return/response traffic that went out). The direction is relative to the interface.


The traffic going out (after being unencrypted) will have destination port TCP/80. The traffic coming back from the web server will have SOURCE PORT TCP/80.

So, for every type of traffic you want to send/receive, there will be a rule-pair - one outgoing + one incoming.

Add these rules to the Public (Default) filter and you should be good to go. If the Public filter has been modified, then you may want to check the order of the rules just to make sure that there is nothing dropping the traffic before it hits its permit rule.

It is imperative that you be as specific as possible in defining the traffic. Especially when dealing with packets that have non-RFC 1918 IP address as they can be routed over the Internet.

If anyone wants further details on this subject, feel free to ping me at

CreatePlease login to create content