Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Site to site VPN using 501 PIX

Hi,

I am a newcomer to cisco pixs and I am trying to setup an ipsec vpn between 2 sites. I cant seem to get the vpn tunnel up? Attached are the 2 configs.

Any advice would be very much appreciated.

Thanks in advance.

3 REPLIES
New Member

Re: Site to site VPN using 501 PIX

A small topology diagram would help. Here's a starter.

Site A Pix needs

nat (inside) 0 access-list 100

Site B Pix

crypto map newmap 40 match address 140, NOT 150, access-list 150 does not exist

nat (inside) 0 access-list 100

Cisco Employee

Re: Site to site VPN using 501 PIX

Paul,

On FORUM SitA Pix, add the below lines to the configuration.

nat(inside) 0 access-list 100

On FORUM SitB Pix, reconfigure the match address from

crypto map newmap 40 match address 150

To

crypto map newmap 40 match address 140

And if you want to allow FORUM Site B users to have internet access, then you need to configured NAT for NATTing all internet traffic and NAT 0 to bypass NAT for IPSEC Traffic.

For example:

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

nat (inside) 0 access-list 100

After you make the above configuration changes, do a clear xlate, clear cry is sa and clear cry ipsec sa and then bring up the tunnel.

Let me know how it goes.

I hope it helps.

Regards,

Arul

** Please rate all helpful posts **

Gold

Re: Site to site VPN using 501 PIX

Hi

Take a look at the following document - very good to get you going:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094761.shtml

Hope this helps and please rate posts!

172
Views
14
Helpful
3
Replies