Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

Tunnel default gateway for Cisco VPN Clients

I have a 3005 Concentrator which terminates a number of site-to-site VPNs. The 'tunnel default gateway' on the concentrator is configured to be the PIX attached to the private interface of the concentrator.

The concentrator also terminates remote access VPN connections, which it does successfully, and users can talk to the office network through the PIX.

The problem lies when the users want to communicate over the site-to-site VPNs when connected via a remote access VPN. This works fine when the 'tunnel default gateway' is not set. However, when it is set, all the traffic from the remote access tunnel is sent to the PIX - including traffic destined for the site-to-site VPNs.

Is this the way the feature is intended to work, and if so, is there any way round it?

Many thanks,


Cisco Employee

Re: Tunnel default gateway for Cisco VPN Clients

THe TDG is used when there is no better route in the 3005's routing table for whatever network the encrypted traffic is trying to get to. Since there's no better route, they're sent to the PIX which then won't send them back out the same interface back to the concentrator.

To resolve the issue in your case, just add static routes on the 3005 for the remote L2L networks and point them out the Public interface to the 3000's standard default gateway. This way they'll get routed by the 3005 back out teh Public interface, the 3005 will see that it should go over one of the L2L tunnels and away you go.

CreatePlease to create content