LAN-to-LAN VPN with PIX501 to VPN3030 Concentrator
Hi, i am trying to set up a LAN-to-LAN VPN connection between a PIX501 and a VPN3030 concentrator. The PIX can connect using a preshared-key and the concentratot recognises it as a definded LAN-to-LAN connection. From the PIX i can ping the public interface of the concentrator. PIX also connects to internet through PPPoE. This only works if on the concentrator the LAN-to-LAN conenction is configured for routing with network auto discovery on both ends. As soon as I use a wildcard mask or a predefined network from the networks list, the tunnel doesnt get up anymore. Using the working config on the PIX with Network auto discovery on the concentraor I am not able to ping the private interface of the concentrator. When using Reverse Router Injection in the LAN-to-LAN setup the concentrator has the remote network behind the PIX in its routing table, but when thew PIX tries to establish the VPN connection I always get a QM FSM error in the concentrator event log and the tunnel doesnt go up, because of some missing SA for src:0.0.0.0 and dest:0.0.0.0 . Right after setting the LAN-to-LAN connection back to network auto discovery the tunnel comes up again, but the concentrator doesnt know of the network behind the PIX. I already took a look at the samples at the Cisco VPN3000 site, but i cant get this working. Maybe someone of you can help me with this.
Re: LAN-to-LAN VPN with PIX501 to VPN3030 Concentrator
The biggest problem with a VPN3000 is routing. The routing table is not used to find the longest match for an IP address, it basically uses it similar to an access-list. It sends the packets down the first route that matches. If the network behind the PIX is a subset of a larger network that is also listed in the table the packets will probably go there instead. When I have built hub and spoke networks i have used network lists that are VERY specific for each spoke. This way the tunnels come up and trafic goes down the right one.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :