Cisco PIX 500 Series Security Appliances

LAN-to-LAN IPSec Tunnel Between the Cisco VPN 3000 Concentrator and PIX Firewall Configuration Example


The goal of this sample configuration is to connect a private network behind a Cisco PIX Firewall to a private network behind the Cisco VPN 3000 Concentrator. The devices on the networks know each other by their private addresses.

Refer to IPsec: Router-to-PIX Security Appliance 7.x and Later or ASA Configuration Example for more information about the LAN-to-LAN tunnel configuration between a router and Cisco PIX/ASA Security Appliances.

Refer to IPsec Tunnel Between PIX 7.x and VPN 3000 Concentrator Configuration Example for more information when the PIX has software version 7.x.

Refer to LAN-to-LAN IPsec Tunnel Between a Cisco VPN 3000 Concentrator and Router with AES Configuration Example for more information about the L2L IPSec tunnel configuration between a Cisco VPN 3000 Concentrator and router with Advance Encryption Standard (AES).



There are no specific requirements for this document.

Components Used

The information in this document is based on these software and hardware versions:

  • PIX Software 6.3(1)

  • VPN 3000 Concentrator with 4.0.1

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.


Refer to Cisco Technical Tips Conventions for more information on document conventions.


In this section, you are presented with the information to configure the features described in this document.

Note: Use the Command Lookup Tool (registered customers only) to obtain more information on the commands used in this section.

Network Diagram

This document uses this network setup:



Configure the PIX

PIX Firewall Configuration
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname sv2-11
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521

!--- Access control list (ACL) for interesting traffic !--- to be encrypted over the tunnel.

access-list 101 permit ip 
pager lines 24
mtu outside 1500
mtu inside 1500

!--- IP addresses on the interfaces.

ip address outside
ip address inside
ip audit info action alarm
ip audit attack action alarm
no failover   
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
pdm history enable
arp timeout 14400
global (outside) 1 interface

!--- Binding ACL 101 to the Network Address Translation (NAT) statement !--- to avoid NAT on the IPSec packet.

nat (inside) 0 access-list 101
nat (inside) 1 0 0

!--- Default route to the Internet.

route outside 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+ 
aaa-server RADIUS protocol radius 
aaa-server LOCAL protocol local 
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable

!--- The sysopt command avoids conduit on !--- the IPSec-encrypted traffic.

sysopt connection permit-ipsec

!---- IPSec policies

crypto ipsec transform-set aptset esp-3des esp-md5-hmac 

!--- Setting up the tunnel peer, encryption ACL, and transform set.

crypto map aptmap 10 ipsec-isakmp
crypto map aptmap 10 match address 101
crypto map aptmap 10 set peer
crypto map aptmap 10 set transform-set aptset

!--- Applying the crypto map on the interface.

crypto map aptmap interface outside
isakmp enable outside

!--- Pre-shared key for the tunnel peer.

isakmp key ******** address netmask 

!--- IKE policies

isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
: end

Configure the VPN Concentrator

Complete these steps in order to configure the VPN Concentrator.

Note: This example was performed in a lab environment by accessing the VPN Concentrator through the console port and adding a minimal configuration (see steps 1 and 2) so that the additional configuration is done through the graphical user interface (GUI).

  1. Go to Administration > System Reboot > Schedule reboot > Reboot with Factory/Default Configuration and reboot.

  2. When the VPN Concentrator comes up in Quick Configuration mode after you reboot, configure basic device information:

    • Time/Date

    • Interfaces/Masks in Configuration > Interfaces (public=, private=

    • Default Gateway in Configuration > System > IP routing > Default_Gateway >

    The VPN Concentrator is now accessible through the GUI from the inside network.

    Note: You can also manage the VPN Concentrator from the outside. Refer to How to Manage the VPN 3000 Concentrator from the Public Network for more information.

  3. Launch the GUI and go to Configuration > Interfaces in order to confirm the interfaces.

    Note:  The interface that terminates the tunnel should have a filter applied to it. In this case, the public interface has the public (default) filter applied. Rules are automatically added later to the applied filter on the IPSec interface.


  4. Go to Configuration > System > Tunneling Protocols > IPSec LAN-to-LAN > Modify or Add in order to configure the IPSec LAN-to-LAN tunnel. Click Apply when you are finished.

    In this example, the necessary information for the outside interface of the PIX is populated.


  5. On the confirmation page that displays the automatically configured parameters, click OK in order to accept the configuration.

    Note: Do not modify these LAN-to-LAN settings.


  6. Go to Configuration > Policy Management > Traffic Management > Assign Rules to Filter in order to confirm that the rules have been created and applied correctly.

    Rules are automatically created and added to the filter applied to the IPSec interface. In this case, the public (default) filter that is applied to the public interface has new rules added to it by the configuration.


  7. On the confirmation page that displays the automatically configured group information, click Apply in order to accept the group settings.

    Note: Do not modify these group settings.


  8. On the confirmation page that displays the automatically created security association (SA), confirm that the SA appears in the list of IPSec SAs.


  9. Go to Configuration > System > Tunneling Protocols > IPSec > IKE Proposals in order to confirm that the IKE proposals are shown as active.



There is currently no verification procedure available for this configuration.


This section provides information you can use to troubleshoot your configuration.

Troubleshooting Commands on the PIX

Note: Refer to Important Information on Debug Commands before you use debug commands.

  • debug crypto engine—Shows the traffic that is encrypted.

  • debug crypto ipsec—Use to see the IPSec negotiations of phase 2.

  • debug crypto isakmp—Use to see the Internet Security Association and Key Management Protocol (ISAKMP) negotiations of phase 1.

Troubleshooting on the VPN Concentrator

These debug options are individually available if you go to Configuration > System > Events > Classes > Add.

  • IKE






Go to Monitoring > Event Log and click Get Log in order to see the actual debug.


Go to Monitoring > Statistics > IPSec in order to see IPSec status.


Related Information