Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member



I have a Central site with a VPN 3030 Concentrator, off this I have a LAN to LAN VPN working to site (A). I also have remote access VPN working.

What I am trying to do is, get the client to dial in through the remote access VPN then pass down the LAN to LAN VPN to get to the site (A)

I have modified all the NAS lists on the Concentrator and all the ACL’s on site A PIX

My findings so far are

1) Remote client creates a VPN connection with the 3030 Concentrators and gets address assigned from a pool (remote access VPN established)

2) Remote client pings a box in site (A)

3) The ping packet passes down the remote access VPN to the 3030 Concentrator, then over the LAN to LAN VPN to site (A), the ICMP packet gets decrypted by the PIX and the box then reply’s to the ICMP packet.

4) The Packet then leaves the PIX from site (A) encrypted back up the LAN to LAN connection to the 3030 Concentrator in the central site.

5) It stops here, the 3030Concentrator dose not forward the ICMP packet up the remote access VPN to the remote client.

How I established the ICMP packet was getting form the remote client to site (A) through the 3030 Concentrator in the central site and from site (A) back to the 3030 Concentrator in the central site. I checked the SA encrypted and SA decrypted counters. From this I can see the ICMP packet’s getting to site (A) and leaving site (A).

Also the ACL incremented on the PIX in Site (A) for ICMP for that IP I have no sysopt connection permit ipsec command enable on the PIX at site (A) so the VPN is bound to an access-list.

So I can not get the concentrator to forward the packet back out the public interface to the remote access vpn user.

New Member


Hi Rick

I appreciate it prob took yu a fair time to write all that description - my answer trying not to be glib, but have you actively allowed ping replies to travel back out of the external facing PIX?



New Member



mate yep thanks for that, but I have allowed all the icmp taffic through the firewalls as i said the packet get back to the concentrator and then will not go up the remote access VPN to the client.

If you have any more please help

Thanks mate

Rick :-)

CreatePlease login to create content