From the conversation title you can see I'm interested in the mystery 3rd interface on the 3020. The reason why I ask is specific however: I want to allow VPN client connections to the 3020 to go down other L2L connections configured on the same 3020.
I have found a way to do this but I consider it a cludge. For anyone who is interested I created a NAT rule so that an IP from the client pool wanting to access the remote networks (defined in the L2L configs) would be PATed to an address that was itself included in the local networks (again defined in the L2L configs). That way the VPN client's packet would hit the concentrator, be decrypted, hit the NAT rule, see that the packet was now src and dest matched to an IPSec SA and go back out the appropriate L2L tunnel.
Now this is all well and good .... BUT: I would really like to bring our Pix FW into this i.e. have the traffic pass through and be processed by the firewall before it went back out a L2L tunnel. As you probably know PIX 6.3 does not like to send traffic back out the same interface it came in on ... which leads to my question re: the mystery 3rd interface.
However there are of course going to be routing issues ... or are there? Does the concentrator regard an IPSec SA match higher than a route? there is an attached gif that shows the bacic topology of is issue.
If pool address 18.104.22.168 wants to get to Remote Office at 22.214.171.124 and I have a route on the concentrator sending traffic destined for 126.96.36.199 out Eth 3 and into a spare Pix interface, then the pix has a route sending 188.8.131.52 to Private interface Eth 1 on the concentrator will I have a loop or will the IPSec SA match (local 184.108.40.206; remote 220.127.116.11) step in and encrypt the traffic and shove it down the L2L tunnel?
If no what else is the third interface for? And is there another way to achieve my wish of having 18.104.22.168 traffic going through the pix before it goes back to the concentrator for L2L tunneling.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :