Several points to make on this. 1) How are you using 192.168.x.x/28 on your Serial0/0 on your external interface (should this not be your only valid IP?, and why a /28 on a Serial unless you are using Frame). I am now assuming to change this to something such like: interface Serial 0/0 ip address live/30
2) If you are using NAT on the Router, then you may not VPN to the PIX, making the Router the only possible VPN End-point. Obtain VPN license for your router platform, or plan to redesign slightly. 3) If you ARE using 192.168.x.x/28 on your Serial, even your router is not accessible from the public internet, making it entirely impossible for you to VPN. 4) You will have problems passing VPN traffic through the PIX, without completely opening it up anyways. May I suggest a possible redesign of the network? -- I never totally understood the use of what I like to call "Double-NAT", especially when only a wire exists between 2 devices. This adds processing and memory overhead onto the router that is not neccessary, especially in today's world. May I suggest using LIVE IP's up to the PIX box... or better yet, obtaining a WAN interface identical to your S0/0 on the router, and placing it directly in the PIX... this will free up the router for lab uses . You then simply NAT once on the PIX, and to add VPN, you can simply load in the VPN module into the PIXOS. Solution 2: Use Live IP's on the segment between the router and PIX, add a switch or better yet, a hub between the two, and add a VPN Appliance, such as a Nortel Networks Contivity, or if you like to stay an "All Cisco" shop, a VPN Concentrator 3002. This will accomplish many things: VPN troubleshooting will not cause downtime on the PIX Router processing/memory demands lowered, it is merely routing now Throuphput increased due to packets only going through 1 translation VPN is direct into internal network VPN is the only task for the box chosen Currently where I work, we have traditionally been using a Nortel Contivity 1500 as a hub of 18 branch-office VPNs using smaller Contivity units for Branch-to-Branch, and also as the single corporate VPN endpoint for user-to-HQ tunnels. In the 3 years it was in service, it was downed twice, once for a move, and once due to replacing the UPS with an APC 16KVa. Both times were of no fault of the equipment. Recently, we have replaced everything with Cisco product (6509, 7200VXR, VPN3002, 2xPIX, 3600, 2600). Catalyst reboots are about every 2 weeks, 7200 came with a faulty Sup blade, VPN 3000 has been rebooted twice in the last month because of hickups so it will not allow any more connections.. so far no problems with the x600 routers, or the PIX firewalls, that were not programming errors. All in less than 2 months. It will be happy-days to see it all go away in 2 years when the lease expires. I will just be happy when they finally unplug the Contivity 1500 in 2 weeks, and give it to us for our lab LAN. Note: With the arrival of all the Cisco gear, I was released from my responsibilities to help maintain the network, and now only run a lab network based on the old equipment (HP & Nortel L2 switches, Nortel Passport L3 switches, Cisco 1600, 2500, 2600 routers, Compaq ML350 servers running Unix, Win2k, and soon WinXP). I wish you luck in finding the solution that works for you. Do not fear approaching management saying that a slight redesign is required to offer the VPN solution. The money they will save by employees working from home, and the increased productivity from those same employees, will more than pay for any new equipment, or time required to add the technology in a very short period of time. -- Regards, Trevor J Corness, CCNA CCDA JNCIS NNCSS MCSE MCP+I Systems Engineer, Data Services Radian Communication Services Corporation http://www.radiancorp.com On September 26, 2001 03:26 am, Ramesh c wrote: > Hey Guys, > > My setup as follows > > Internet ------ Router -------- PIX ------ Internal network > > We are using a 192.168.x.x network and using NAT to change to valid ip > address.So when I need to setup VPN should I use the 192.168.x.x or the > Valid Ip address? > > My internet router config > > interface FastEthernet0/0 > ip address 192.168.y.x 255.255.255.252 > ip nat inside > > interface Serial0/0 > ip address 192.168.x.x 255.255.255.240 > > More which is advisable.. > 1)VPN to router or VPN to PIX ? > > Pls explain in detail... > > > > Make a difference, help support the relief efforts in the U.S. > http://clubs.lycos.com/live/events/september11.asp > Nondisclosure violations to [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=21718&t=21120 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]