Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
463
Views
0
Helpful
4
Replies

VPN Client works but site-to-site doesn't between 501's

chris.lantz
Level 1
Level 1

‎02-10-2010 10:12 AM

I have two PIX 501's.  I've had Cisco VPN Clients successfully connecting to PIX #1, and their connections work just fine, and I have now established a VPN from PIX #2 to the first one, but I can't pass any traffic.  I've attached the configs from both PIXes, and you can see what can be pinged and what can't.  Any ideas would be appreciated.  Eventually, PIX #1 needs to accept the VPN from PIX #2 as a dynamic address, but for now I've hardcoded an address in.

Thanks for any help.

Labels:
60892-pixes.txt.zip
0 Helpful
4 Replies 4

hdashnau
Cisco Employee
Cisco Employee

‎02-10-2010 12:11 PM

If you want to be able to ping the PIX interface itself over the VPN tunnel you need the management-access command enabled (its only enabled in one of your devices):

management-access inside

http://www.cisco.com/en/US/docs/security/pix/pix63/command/reference/mr.html#wp1137951

Also make sure the hosts you are pinging from have routes to the remote networks. For example if you have the 10.1.1.x network behind PIX1 and the 20.1.1.x network behind PIX2, and you are trying to ping from a host sitting on the 20.1.1.x network, that host (and the routers between that host and PIX2) need to have a route for 10.1.1.x that points to PIX2 inside interface.

To troubleshoot set up a capture and see if the echo requests or echo replies are entering/leaving the inside interfaces of each ASA:

access-list cap permit ip host x.x.x.x host y.y.y.y

access-list cap permit ip host y.y.y.y host x.x.x.x

cap cap access-list cap interface Inside

show cap cap

clear cap cap

-heather

0 Helpful

chris.lantz
Level 1
Level 1
In response to hdashnau

‎02-10-2010 06:23 PM

Heather, thank you for the quick reply.  Of course, I was missing a route in the server behind PIX1, and that fixed everything.  Would you mind answering another question...how do I configure PIX1 to accept the connection from PIX2 which gets its address via DHCP from the DSL provider? 

0 Helpful

hdashnau
Cisco Employee
Cisco Employee
In response to chris.lantz

‎02-11-2010 06:44 AM

Please rate our posts and mark the question as resolved if this resolved the issue so other customers can easily identify the solutions that work.

You would need to setup a Dynamic L2L connection, instead of a static one. Here is an example:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805733df.shtml

-heather

0 Helpful

chris.lantz
Level 1
Level 1
In response to hdashnau

‎02-11-2010 04:39 PM

Heather, what I don't understand is how I can search and Google for hours and not find that article...it was exactly what I needed. So thank you.  Now, another question...we have several of these PIX 501's that need to connect to the central PIX 501 dynamically, just like mine is now doing, but they each have a network of 192.168.1.0/24.  Can that be done?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents