Cisco Support Community
Community Member

VPN Concentrator to route traffic between end-point peers?

Have the following setup:

Site A (PIX501) connect to the central hub site (3015).

Site B (PIX501) also connect to the central hub site.

There is no tunnel setup btwn SiteA and SiteB.

What I've been trying to do is to get traffic from SiteA to SiteB, via the Concentrator.

At first I thought this might not not be possible, but it does work. Here's how:

At the endpoint PIX'es add the other enpoint subnet to the ACL that matches the crypto map and the NAT 0-rule. (SiteA's ACL will contain te subnets at the hub site and at SiteB).

On the hub site concentrator set up a new Network List containing ALL these subnets (three in this case). Then edit the Rules for the Lan-2-Lan tunnels by changing the destination list for the incoming filter rule and the source list for the outgoing rule - to the new list containing all the subnets.

This is what my log said before changing the rules:

222 06/16/2003 10:08:49.330 SEV=4 IKE/61 RPT=6

Group []

Tunnel rejected: Policy not found for Src:, Dst:!

After changing them:

329 06/16/2003 10:20:21.380 SEV=4 IKE/120 RPT=5

Group []

PHASE 2 COMPLETED (msgid=560eddc7)

330 06/16/2003 10:20:21.560 SEV=4 IKE/41 RPT=16

IKE Initiator: New Phase 1, Intf 2, IKE Peer

local Proxy Address, remote Proxy Address,

SA (L2L: PIX1)

I now have a connection up from SiteA ( going via the 3015 to SiteB (

Now for the questions:

* Is this setup something that will adversively affect the performance of the Concentrator?

* Have anyone used this type of setup in a large production network?

* Is there any documentation/text about this kind of setup?

Grateful for any input!

Cisco Employee

Re: VPN Concentrator to route traffic between end-point peers?

This kind of setup is quite common, so you're not doing anything the concentrator wasn't designed to do. In fact if you search through the archives of this forum I've told probbly half a dozen people to do exactly this previously, so good work in finding it for yourself.

For the concentrator there's really very little additional extra work here than if the packets were simply coming in from one tunnel and going onto the private network. It simply decrypts the packet as it comes in, check's that it has to go over another tunnel and re-encrypts it and sends it on.

I don't know that this is documented anywhere specifically, but as I aid, it's quite a common setup and the way you configured it is exactly how you must do it for one tunnel to talk to another.

CreatePlease to create content