Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cisco VPN Client/Safenet SofToken II/ VPN Concentrator --->Bank VPN Conctr

I have a request from Fleet support users to open up UDP 500/10000 for IPSEC access from a Banks VPN Dialer Software (using Cisco VPN Client Software and SofToken II), to connect to this bank's VPN Concentrator. My question is is there a way I can configure my local 3030 Concentrator so the user can log in local to TxDOT's concentrator and connect to this banks's concentrator so I will have better internal Security. I haven't been able to talk with the banks Network person yet, but I'd assume they may hesitate to allow a LAN-LAN VPN connection.

Therefore, any suggestion on configurations on how to use my :Local Concentrator as a relay between the VPN client software and the banks' Concentrator. Any hints/tips/advice is greatly appreciated.

Brian Kalstad

Cisco Employee

Re: Cisco VPN Client/Safenet SofToken II/ VPN Concentrator --->B


The clients that connect to your VPN 3000 must be assigned an IP in a network that is being tunneled across the L2L to the Bank VPN 3000.

So if you LAN-to-LAN is configured for Network Lists, then define the IP Address pools , to hand out to the clients, from a network in the NetList

This should work!!!


New Member

Re: Cisco VPN Client/Safenet SofToken II/ VPN Concentrator --->B

Ok, that helps, but if the bank is hesitant about doing the LAN-2-LAN VPN, is there a way I can "proxy" my 3030 as the client, and have my user login to my Concentrator to connect to the bank. All the user does once the VPN is connected is TN3270 (port 23) to the bank's mainframe. Any ideas?

Brian Kalstad

Cisco Employee

Re: Cisco VPN Client/Safenet SofToken II/ VPN Concentrator --->B

I am afraid it is not possible. Unless you have a LAN-LAN setup which can be used to route the traffic over to the banks' VPN3K.


The Bank folks can lockdown (if needed) the ports with which you connect via LAN-LAN and allow only TN3270 session through, while at the same time clients connecting to your VPN3K can aslo be restricted to be allowed TN3270 traffic using filter on the group.

CreatePlease login to create content