Static route to the net behind ipsec tunnel from pix 506e 6.3(5)

Unanswered Question
Jan 15th, 2009

Good day.

there are networks: connected through the pix506e 6.3(5) and throug the router 2851 using ipsec.

routers ip are:,

Now i need an access from to the wich behind

How i must setup pix? In router configuration it's simply by ip route etc...

But on pix configuration route outside isn't take effect :(

so scheme will looks like this:

( inside)PIX(outside)---INTERNET---c2851(



p.s. sorry for my owful english.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jon Marshall Thu, 01/15/2009 - 03:45

Hi Andrew

"You also need a static route to point the out of the outside interface, so the PIX knows it needs to encrypt it."

Not sure you do. As long as the pix knows how to get to the IPSEC peer ie. the 2811 on it's public address then adding the network to the crypto map access-list is enough ot make it work. The pix then knows it needs to be encrypted and simply encapsulates the packet and sends it to the public IP of the 2811.

Mind you it's been a while since i set up one of these things so i may be mistaken :-)


michaelikus Thu, 01/15/2009 - 03:51

allready done but no changes.

one more details.

i'm using ipsec on pix behind nat(my provider gived me address using pptp). so i set up the nat-traversal on pix. Maybe problem in it?


access-list wan_acl permit ip any any

access-list lan_acl permit ip any any

access-list lan_acl permit icmp any any

access-list t_ipsec permit ip

access-list t_ipsec permit ip

access-list t_nonat permit ip

access-list t_nonat permit ip

global (outside) 1 interface

nat (inside) 0 access-list t_nonat

nat (inside) 1 0 0

access-group wan_acl in interface outside

access-group lan_acl in interface inside

route outside 1

route outside 1

crypto ipsec transform-set ts-1 esp-des esp-md5-hmac

crypto ipsec security-association lifetime seconds 3600

crypto map cm-1 21 ipsec-isakmp

crypto map cm-1 21 match address t_ipsec

crypto map cm-1 21 set peer

crypto map cm-1 21 set transform-set ts-1

crypto map cm-1 interface outside

isakmp enable outside

isakmp key ******** address netmask

isakmp identity address

isakmp nat-traversal 20

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption des

isakmp policy 20 hash md5

isakmp policy 20 group 1

isakmp policy 20 lifetime 86400

--end cut--


This Discussion