Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN tunnel between pix & concentrator through isa2000?

Can I setup a VPN tunnel between a pix and a concentrator if the pix outside interface is on a private network(172.16.x.x)? I need to create a vpn tunnel but the following topology is present and I don't know how to proceed:



Cisco 1850 (T1 Internet line)


ISA 2000 Firewall

I have one public IP and it is associated with the 1850 router. The 1850 does not have the VPN capable IOS/license and it only has one ethernet interface.

Can I put the pix behind the ISA 2000 box, port forward all IPSec traffic through the ISA to it, and be able to establish a site-to-site tunnel mode vpn with a concentrator out on the Internet by using the one public IP I have (since I'd be port forwarding all IPSec traffic)?

Other than what I've listed already, I have a new pix501 with the appropriate vpn licenses. Where can I incorporate the pix in a way that I can establish a vpn tunnel with a concentrator out on the internet and maintain the topology that is already present? Is that possible?


Re: VPN tunnel between pix & concentrator through isa2000?

i guess you can put the PIX on the ISA 2000 - 1850 LAN and run the PIX parallel to the ISA firewall. If it is behind ISA, you might need to open some ports for IPSEC establishment and troubleshooting becomes real tough in this case.

You neeed to have a public IP on the PIX outside, which should be reachable from internet.

Hope this helps. all the best


New Member

Re: VPN tunnel between pix & concentrator through isa2000?

Thanks for the reply. That's what I ended up doing, but the private LAN wasn't accessible from where they wanted to put the PIX, so I'm waiting for them to run a line from their telecom closet to their access closet. I hope to avoid the ISA altogether by putting a static route on the Win200 server they want to access that will use the PIX's inside interface as the gateway to their IP.

Do you or anyone see problems with this config. It seems like there is a lot of default stuff in there that I don't need. This PIX is simply for a VPN tunnel connection to provide one server on the remote side access to one server on the local side and that's it. The remote side admin did go ahead and try establishing a tunnel even though the PIX had no active inside interface and he said it failed in phase 2, but he had no errors so the problem was likely on my side. We haven't troubleshooted anything yet, but I wonder if there is anything in the config that could be wrong or potentially could cause me trouble. The ones I question are prefaced with a ???

Anyone's input is valuable...thanks.

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password .He/HeBVxd0jDOWu encrypted

passwd .He/HeBVxd0jDOWu encrypted

hostname pixfirewall

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69


access-list 101 permit ip host host

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside

ip address inside

ip audit info action alarm

ip audit attack action alarm

pdm logging informational 100

pdm history enable

arp timeout 14400

???global (outside) 1 interface

nat (inside) 0 access-list 101

route outside 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

???aaa-server TACACS+ protocol tacacs+

???aaa-server TACACS+ max-failed-attempts 3

???aaa-server TACACS+ deadtime 10

???aaa-server RADIUS protocol radius

???aaa-server RADIUS max-failed-attempts 3

???aaa-server RADIUS deadtime 10

???aaa-server LOCAL protocol local

???http server enable

???http inside

???no snmp-server location

???no snmp-server contact

???snmp-server community public

???no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set myset esp-3des esp-md5-hmac

crypto map newmap 10 ipsec-isakmp

crypto map newmap 10 match address 101

crypto map newmap 10 set peer

crypto map newmap 10 set transform-set newmap

crypto map newmap interface outside

isakmp enable outside

isakmp key ******** address netmask

???isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

telnet inside

telnet timeout 5

ssh timeout 5

console timeout 0

terminal width 80


: end


CreatePlease login to create content