Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

LAN2LAN VPN on SOHO97 & VPN3000 or PIX500

Hi all,

We have a situation:

1. We have DSL lines in branch offices.

2. We have SOHO97 DSL Routers.

3. In Central Office we have PIX 525 (with VPN Acceleration card) and VPN3000 for remote access.

4. We need to establish LAN-to-LAN VPN tunnel to remote locations.

I have found several examples on Cisco website, but I have not found "right" answer.

1. I have example, how to build VPN tunnel. But in example they use route-map to separate VPN & non-VPN traffic (i.e. Corp Traffic and Internet Traffic). This command is completely missing in SOHO97.

2. I can build GRE tunnel on SOHO97, but in examples they have GRE tunnel to VPN5000 only (and nothing for VPN3000 and PIX).

So, final question: How to marry them?



Re: LAN2LAN VPN on SOHO97 & VPN3000 or PIX500

To seperate traffic that you want to send accross unencrypted from traffic you want to encrypt, you can use split tunneling which is nothing but defining the traffic you want tunneled across using access lists. To configure split tunneling for your client-concentrator tunnel, create a network list to include all the networks you want the client to access over the VPN tunnel. This can be done (on the concentrator) by going to Configuration | PolicyManagement | Traffic Management | Network Lists and clicking on add. After defining the list, go to Configuration | User Management | Groups and select the group the VPN clients are connecting to. Under the split tunneling configuration option, select the network list you just created. When the client connects to the concentrator it will encrypt traffic only for the network specified. For all other traffic, the client will use the ISP connection.

With reference to your second question, I don't think that you can have a GRE tunnel to your concentrator just as you can't have a GRE tunnel to your PIX (... do cross check this though!!). The way I do the same is to configure the gre tunnel between the remote router and an internal router over the vpn, behind the concentrator. Configuration is simple and similar to the configuration that you will put in place with no vpn setup. All that you need to make sure is that just make sure that the gre tunnel traffic is classified as interesting.

CreatePlease to create content