PIX 501 behind router...

Unanswered Question
Sep 8th, 2008
User Badges:

I have a PIX 501 that I am setting up at a site that has one static ip address and a router. I have never setup a PIX 501 without a public address on the WAN so this is new to me. I have assigned the outside interface of the pix to On the router I have forwarded UDP 500 and 4500 to the (PIX WAN) address. The tunnel light comes on on the PIX and when I do a sh crypto isakmp sa I see the tunnel appears to be up in state QM_IDLE. However, I cannot transmit data across the tunnel or ping. Any ideas? Any help would be greatly appeciated. I have attached the config for review.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
ccosper08 Wed, 09/10/2008 - 06:45
User Badges:

Ok I got one tunnel to work fine ( to ICMP and data traverse the

tunnel. However I cannot seem to get the other tunnel working ( to If I do a sh crypto ipsec sa on both sides I can see the encapsulated

packets getting incremented but the decapsulated stays at 0 on both sides. I have poured over the configs and cannot see what is wrong. In my previous post I included the config for the location and I will included the config for the location in this post. Any help would be greatly appreciated.

singhsaju Wed, 09/10/2008 - 07:00
User Badges:
  • Silver, 250 points or more


You are using same access-list "80" for both NAT 0 ( nat bypass ) and crypto acl.

I am wondering how could you create a extended access-list as numbered "80"

Standard access-list are numbered 1-99 (supports only source address)

First of all change your access-list number to 100 or more and secondly do not use same access-list to do NAT0 and crypto acl.

Create two separate identical access-lists. For example :

access-list 100 permit ip

access-list 100 permit ip

access-list 120 permit ip

access-list 120 permit ip

nat (inside) 0 access-list 100

crypto map lafayette 10 match address 120

Then post result for following

show access-list 100 (check the hitcounts when pkts bypasses )


show crypto ipsec sa



Pls rate if it helps


This Discussion