Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Route VPN traffic - 2 networks, 3 PIX

Hi All,

I'm working on a situation where I need to do a LAN-to-LAN VPN, but where the "main" network already uses a PIX as their gateway.

Let me explain: Let's say we have 2 networks, and Currently, a PIX 515 services the network, and a 515 on the other, as well.

Now, we want a VPN between the 2 sites, but instead of the 515 to the 515, we want to use the remote 515 to connect to a PIX 506 at the Main site, to create the tunnel.

I've got the tunnel up and active, but am having a routing/NAT issue (I think).

The main site uses their PIX as their default gateway, so let's say it's, and I've assigned the 506 an inside address of On the .254, I tell it to route any traffic for the network to the .246 PIX.

I realize this is tough to explain, but basically nothing works but the tunnel. I am able to ping devices on the other side of the VPN, using the .254 device... so the traffic is being routed properly through there. I'm guessing this is some sort of NAT issue, but I enabled the NAT traversal command that I thought would fix this.

Anyone have any advice? I realize we could do the VPN from the 515 to the 515, but they don't want to do it that way...they want one device dedicated to VPN at the main site.

TIA, Mike


Re: Route VPN traffic - 2 networks, 3 PIX

Are you able to ping devices on the the other side of the tunnel from your main site pix cli or also from hosts at your main site? Also, if you could post sanitized configs, it would help.


New Member

Re: Route VPN traffic - 2 networks, 3 PIX

Keep in mind that the PIX won't send icmp redirects to the clients even though it knows how to get to that network. You have to have a router as a default gateway if you want the clients on the 506 side of the network to get redirected to the 506. Or, you could put persistent routes in the client machines.

You really would be much better off using the 515 to terminate the tunnel instead of the 506.