Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN Concentrator network location in relation to router


we are currently running a VPN through the internet using IPSec tunnels (no GRE/IPSec yet). At our main office, we have a C3640 with one internet T1 and 30 tunnels to remote locations (static IPsec). Now, we are going to add a VPN 3000 series concentrator for remote access. I have been able to setup a VPN client connection to the 3640 from home using XP with the serial IP of the 3640 as my tunnel endpoint. It was suggested by our Cisco rep. to put one interface of the concentrator to our private IP ethernet LAN and the other to a seperate switch/network and same with the 3640 (one ethernet int. on our private LAN and the other ethernet interface on the new switch with the concentrator). Since the serial IP of the 3640 is the only internet routable IP address, I am confused as to what the tunnel endpoint for the VPN client's IPSec tunnel will be to connect to the VPN concentrator. I have been searching for some documentation that shows diagrams of the devices, but haven't found anything that will shed some light. Any thoughts or links would be greatly appreciated.




Re: VPN Concentrator network location in relation to router

Normally, the network is designed such that the concentrator and another device (such as the PIX firewall) are parallel to each other and both forward their traffic to the networks Internet gateway, which is a router. All IPSec protected traffic is steered towards the Concentrator while all other unprotected/unreliable traffic passes through the firewall. You will ultimately use some varient of this setup and you will need additional IP's for that.

New Member

Re: VPN Concentrator network location in relation to router

We had to get a block of routable IPs from our ISP to create a DMZ where the VPN concentrator / VPN router will sit behind the T1 for the location (a 2620 will be used at the T1 to pass VPN traffic to either the VPN router or the VPN concentrator, depending on the destination IP). At first, we were trying this solution with only one internet routable IP...which seemed (and is probably) impossible. Thanks for the response and helping confirm what we need to do.

CreatePlease to create content