VPN Client works but site-to-site doesn't between 501's

Unanswered Question

I have two PIX 501's.  I've had Cisco VPN Clients successfully connecting to PIX #1, and their connections work just fine, and I have now established a VPN from PIX #2 to the first one, but I can't pass any traffic.  I've attached the configs from both PIXes, and you can see what can be pinged and what can't.  Any ideas would be appreciated.  Eventually, PIX #1 needs to accept the VPN from PIX #2 as a dynamic address, but for now I've hardcoded an address in.

Thanks for any help.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
hdashnau Wed, 02/10/2010 - 12:11
User Badges:
  • Cisco Employee,

If you want to be able to ping the PIX interface itself over the VPN tunnel you need the management-access command enabled (its only enabled in one of your devices):

management-access inside


Also make sure the hosts you are pinging from have routes to the remote networks. For example if you have the 10.1.1.x network behind PIX1 and the 20.1.1.x network behind PIX2, and you are trying to ping from a host sitting on the 20.1.1.x network, that host (and the routers between that host and PIX2) need to have a route for 10.1.1.x that points to PIX2 inside interface.

To troubleshoot set up a capture and see if the echo requests or echo replies are entering/leaving the inside interfaces of each ASA:

access-list cap permit ip host x.x.x.x host y.y.y.y

access-list cap permit ip host y.y.y.y host x.x.x.x

cap cap access-list cap interface Inside

show cap cap

clear cap cap


Heather, what I don't understand is how I can search and Google for hours and not find that article...it was exactly what I needed. So thank you.  Now, another question...we have several of these PIX 501's that need to connect to the central PIX 501 dynamically, just like mine is now doing, but they each have a network of  Can that be done?


This Discussion