pix-516 site to site

Unanswered Question

I set up P2 a couple of weeks ago. I used a DSL static IP Internet connection IN1. My hope was to be able to access R2 and the remote VLANs 1,2,3,4 from H1 once I got home?.. Not working out so well?. Losing sleep over this one?. I can get full access to P2 and have built numerous site to site tunnels and remote access VPN connections but can?t seem to get to R2. (please note that R2, S1 and all the other hosts on the network I?m trying to access are using the IN2 path as their default Gateway.) I have no idea which way to go here. It would seem that all I need to do is appear on the wire out of P2 as (unused IP in the /26) and voilla I?m on the network. Any help with a technology or concept would be hugely appreciated. Thank You. dan

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jon Marshall Thu, 06/14/2007 - 23:12


When you say the default gateway for R2 is IN2 does this mean you have added a route for H1 on R2 pointing back to P2 ? ie

ip route

If not then this won't work as far as i can see.


Hi Jon,

I suspect that a route will be necessary on R2 but would it be the H1 network or would it be the VPN pool network on P2 that hasn't been created yet. ie.

P2# (config) ip local pool vpnusers mask

R2 ip route

Is that all that's required?

Jon Marshall Fri, 06/15/2007 - 03:59

Hi Dan

Apologies as i misinterpreted your question based on the title. I was assuming it was a site-to-site VPN but it is a client VPN i think.

Still you will need a route and yes you are correct, in this instance it would need to be the vpn pool addresses and not the network addresses.


Any changes to R2 will be very difficult to make as this router is in Mexico and there is no technical staff available to make any changes.... I should have added the routes when I dropped in the 506... DOH! The ideal would be to get a single telnet session to R2 (which I had hoped I could do since the 506 was on the same network) and make any changes ie routes to the various vlans etc...

Jon Marshall Fri, 06/15/2007 - 04:27


Yes you have a problem in that you cannot telnet from a pix and the router defaults to IN2. Is there no way you could come in via IN2.

Only other thing i can think of is if you have access to the pix you could NAT your source ip address to be the inside interface of the pix. If you then allow telnet to the router from your source IP address it will get natted to the internal IP address of your pix. This is on the same subnet as R2 so R2 should route the packets back to P2.

Does this make sense ?


Here are the definitions I could find. and If I understand the concept... P2 will set the source address of my telnet session to R2 to be something on the VLAN 1 network. and when R2 responds P2 will NAT the correct destination back onto the packet? This sounds like what I'm looking for but can't tell whether it's IP nat outside source static or ip nat inside source static or a combination of both? I really appreciate your help with this Jon. Thank You,

ip nat outside source static:

Translates the source of the IP packets that travel outside to inside.

Translates the destination of the IP packets that travel inside to outside.

ip nat inside source static:

Translates the source of IP packets that travel inside to outside.

Translates the destination of the IP packets that travel outside to inside.

Jon Marshall Fri, 06/15/2007 - 04:59


Let asssume your source IP address is

On the pix firewall

pix(conf t)# nat (outside) 1 outside

pix(conf t)# global (inside) 1 interface

This should translate your address to the inside IP address of the Pix.

Hope this helps and let me know how you get on.


hello Jon,

Still no joy, spent most of Saturday messing around with various configs but was still unable to get to my test laptop with the default gateway pointing to IN2.... Here is the drawing of the test lab I set up locally. I didn't want to break anything (any worse)in Mexico. smile. I can get to H2 from H1 with no problems using just about all mechanisms tested, but not a peep from H3, no matter what I try. I would send a config but I've run through so many... I'm back to scratch. I'm not terribly handy with these PIXs and it is apparent to me that I am struggling with putting together a CLI config. I am relying on PDM to build the base and then I'm trying to add whatever is needed to complete the config. Here is the blank (factory default) I'm starting with for each attempt.

Any direction would be very much appreciated and again thank you very kindly for your time and effort on this forum.


This Discussion