PIX 501 VPN SITE TO SITE

danilomario · ‎03-28-2008

My VPN go up only if i ping from a specific side.

If i ping from the other side the VPN don't go UP and the message is MM_NOSTATE

The good side is pix.txt conf

The bad side is pixe.txt conf

Jon Marshall · ‎03-28-2008

Hi

Your crypto map access-lists don't match ie.

pix.txt

access-list bsns_out permit ip 14.1.0.0 255.255.255.0 10.20.0.0 255.255.255.0

access-list bsns_out permit ip 14.1.0.0 255.255.255.0 192.168.1.0 255.255.255.0

pixe.txt

access-list bsns_out permit ip 10.20.0.0 255.255.255.0 14.1.0.0 255.255.255.0

access-list bsns_out permit ip 10.20.0.0 255.255.255.0 14.2.0.0 255.255.255.0

These should match and you will need to ensure that your nonat access-lists match this as well.

Jon

danilomario · ‎03-28-2008

Sorry why don't match ?

pix.txt

14.1.0.0 is internal lan

10.20.0.0 is external lan (destination)

192.168.1.0 is outside int of pixe.txt

pixe.txt

10.20.0.0 is internal lan

14.1.0.0 is external lan (destination)

14.2.0.0 is outside int of pix.txt

Jon Marshall · ‎03-28-2008

They don't match because crypto access-lists should just be the reverse of each so

update you access-lists as follows

pix.txt

access-list bsns_out permit ip 14.1.0.0 255.255.255.0 10.20.0.0 255.255.255.0

access-list bsns_out permit ip 14.1.0.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list bsns_out permit ip 14.2.0.0 255.255.255.0 10.20.0.0 255.255.255.0

pixe.txt

access-list bsns_out permit ip 10.20.0.0 255.255.255.0 14.1.0.0 255.255.255.0

access-list bsns_out permit ip 10.20.0.0 255.255.255.0 14.2.0.0 255.255.255.0

access-list bsns_out permit ip 192.168.1.0 255.255.255.0 14.1.0.0 255.255.255.0

Also where are you connecting from/to when it works and when it doesn't work ?

Jon

danilomario · ‎03-28-2008

Thanks very much