11-08-2005 12:45 PM - edited 03-09-2019 12:58 PM
Please see the attached pdf diagram.
I can successfully pass traffic from 192.168.60.0 to the DMZ and Inside networks.
I can successfully pass traffic from 192.168.20.0 to the DMZ and Inside networks.
Problem I cannot pass traffic from either network across both VPNs. For example, I cannot go from 192.168.60.0 to 192.168.20.0, or vice versa.
Any ideas as to why this won't work?
Thanks in advance.
Solved! Go to Solution.
11-08-2005 03:57 PM
just wondering if both router 1751 and pix 501 have no-nat and crypto acl include each other subnet. also, on the pix 515, both subnets need to be included for both lan-lan vpn.
e.g.
on router 1751,
access-list no_nat 192.168.20.0 0.0.0.255 172.24.0.0 0.0.0.255
access-list no_nat 192.168.20.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list no_nat 192.168.20.0 0.0.0.255 192.168.60.0 0.0.0.255
access-list lan2lan 192.168.20.0 0.0.0.255 172.24.0.0 0.0.0.255
access-list lan2lan 192.168.20.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list lan2lan 192.168.20.0 0.0.0.255 192.168.60.0 0.0.0.255
on pix 501,
access-list no_nat 192.168.60.0 255.255.255.0 172.24.0.0 255.255.255.0
access-list no_nat 192.168.60.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list no_nat 192.168.60.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list lan2lan 192.168.60.0 255.255.255.0 172.24.0.0 255.255.255.0
access-list lan2lan 192.168.60.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list lan2lan 192.168.60.0 255.255.255.0 192.168.20.0 255.255.255.0
for pix 515,
access-list vpn1_1751 permit 172.24.0.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list vpn1_1751 permit 192.168.1.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list vpn1_1751 permit 192.168.60.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list vpn2_501 permit 172.24.0.0 255.255.255.0 192.168.60.0 255.255.255.0
access-list vpn2_501 permit 192.168.1.0 255.255.255.0 192.168.60.0 255.255.255.0
access-list vpn2_501 permit 192.168.20.0 255.255.255.0 192.168.60.0 255.255.255.0
the only bit i am not sure is the no-nat on pix 515. i guess we should give it a go first, then figure the no-nat out by troubleshooting.
11-08-2005 03:57 PM
just wondering if both router 1751 and pix 501 have no-nat and crypto acl include each other subnet. also, on the pix 515, both subnets need to be included for both lan-lan vpn.
e.g.
on router 1751,
access-list no_nat 192.168.20.0 0.0.0.255 172.24.0.0 0.0.0.255
access-list no_nat 192.168.20.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list no_nat 192.168.20.0 0.0.0.255 192.168.60.0 0.0.0.255
access-list lan2lan 192.168.20.0 0.0.0.255 172.24.0.0 0.0.0.255
access-list lan2lan 192.168.20.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list lan2lan 192.168.20.0 0.0.0.255 192.168.60.0 0.0.0.255
on pix 501,
access-list no_nat 192.168.60.0 255.255.255.0 172.24.0.0 255.255.255.0
access-list no_nat 192.168.60.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list no_nat 192.168.60.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list lan2lan 192.168.60.0 255.255.255.0 172.24.0.0 255.255.255.0
access-list lan2lan 192.168.60.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list lan2lan 192.168.60.0 255.255.255.0 192.168.20.0 255.255.255.0
for pix 515,
access-list vpn1_1751 permit 172.24.0.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list vpn1_1751 permit 192.168.1.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list vpn1_1751 permit 192.168.60.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list vpn2_501 permit 172.24.0.0 255.255.255.0 192.168.60.0 255.255.255.0
access-list vpn2_501 permit 192.168.1.0 255.255.255.0 192.168.60.0 255.255.255.0
access-list vpn2_501 permit 192.168.20.0 255.255.255.0 192.168.60.0 255.255.255.0
the only bit i am not sure is the no-nat on pix 515. i guess we should give it a go first, then figure the no-nat out by troubleshooting.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: