Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Using 2620xm and 837 for site-to-site

I'm looking into setting up a site-to-site VPN with several remote offices connecting back to our main site.

The remote locations will receive 837's, and the main site will have a 2620xm.

The 2620xm will sit between our border router and a PIX.

Will I be able to do this with the 1 existing fast ethernet port on the 2620xm, or will I need to get the VPN/AIM Module?


Re: Using 2620xm and 837 for site-to-site


you can do this using VPN module or w/o VPN module which basically depends upon the no concurrent tunnels which will be getting terminated and also the amount of traffic handled but the 2620 box.

in addition to the usage of VPN module will also suggest to check out the compatible ios codes for both 837 and 2620 which can support the required features.

Also checkup the necessary hardware requirements in your boxes to support the compatible ios codes.

You also required to take care of the routing in the border router and also the 2620 to have the reachability to the remote 837 boxes.

Do checkup whether you are gonna have permanent tunnels between the sites or on SVC basis.


New Member

Re: Using 2620xm and 837 for site-to-site

Current plans are for 3 or 4 remote offices to terminate to the 2620XM. Each office is relatively small (3 or 4 users currently using dial-up).

I will be using 2620XM using IOS Version 12.3(15a), and 837 using IOS Version 12.2(13)ZH4. I believe those versions have the necessary feature set.

Remote offices will have ADSL with speeds between 256-768k.

I guess I really have 2 concerns:

1) Since the 2620XM only has one fast ethernet port, will I need to create sub-interfaces for the traffic (ie: one with an external address and one with internal)?

2) With the routing, from the border router, do I need to route to the internal or external address of the 2620xm? Also, I believe we have multiple border routers (several different connections to the internet), so will I need to specify a particular route on the 837's, or will I need to configure the routing to the 2620xm on each of the border routers?

Our setup is slightly more complicated than the lab environment provided in Cisco training classes, so I'm getting a little confused with the logical setups.

Re: Using 2620xm and 837 for site-to-site


can u revert whether your border router ,perimeter router and your pix outside interface ip falls in the same ip block ?

if yes for which basic purpose you have put the 2600 router in between the pix and border router ?

Quite sometime back i have tried doing dynamic ipsec peering with some sites by binding the cyrpto map under a subinterface which didnt work for me and we recitied it by putting them on a whole new induvidual interface after which it started doing fine.

i have question for you here you cant you think of terminating ipsec tunnels in your PIX or if u feel thats not the secured way y cant ur border router. though i m not aware of the loading and the link conditions in border router i just want u to check out the feasible ways in getting the tunnels terminated.


New Member

Re: Using 2620xm and 837 for site-to-site

I believe all outside interfaces do fall on the same IP block. I'm still waiting for the formal documentation to determine exactly how everything is laid out.

I do have a PIX available (515), but I was sent to class and it only covered site-to-site VPNs using routers. Other than just being given the PIX, I don't have any experience using a PIX at all.

The original design was to terminate the VPNs to the PIX, using EZ-VPN, but the previous engineer was not able to get it working and the documentation left was not very helpful.

I don't have complete access to the perimeter/border router, and the person in charge is not totally committed to the idea of this site-to-site vpn. I can get routes added in the perimeter, but I don't think I'm going to be able to get authorization to actually terminate the vpn connections on that router.

Because it only has 1 fast ethernet interface, would I be better off getting something other than a 2620xm? Do they make a fast ethernet WIC for the 2620xm, or would I need to move up to the 2621xm? I can get other equipment. I believe I have a 3600 available as well, although the RAM and flash may be a little lacking.

If I can get these 3-4 sites working, the idea is to create a secondary vpn network company-wide. We obviously don't want to commit a lot of financial resources until we have a working model.

Would I be better off using the PIX 515?