Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

cannot access the remote PIX501 attached station from inside network

I configured VPN tunnel between PIX520 and PIX501 but the problem is PC2 cannot ping to PC3 even PC1 able to ping PC3. PIX520 have another several sites which are LAN to LAN and PC2 able to ping to them but cannot to PC3 through PIX501. the difference is LAN to LAN and dynamic for PX501. please review the configuration and give me some idea.

1. Network connectivity

<PC1>-(eth)--------------<Rtr1>-(eth)-<PIX520>-(Internet)-<PIX501>-(eth)-<PC3>

|

<PC2>-(eth)-<Rtr2>-(FR)-+

PC1=10.1.99.100

PC2=172.25.26.100

PC3=10.1.38.11

eth=Ethernet

FR=Frame-relay

Rtr1 and Rtr2 have a routing path for PC1 and PC3.

2. tracert at PC2.(from PC2 to PC3)

C:\>tracert 10.1.38.11

Tracing route to 10.1.38.11 over a maximum of 30 hops

1 <10 ms <10 ms <10 ms Rtr2 [172.25.26.1]

2 46 ms 47 ms 32 ms Rtr1 [10.254.253.133]

3 * * * Request timed out.

4 * * ^C

3. "debug icmp trace" at PIX520 . pinging from PC2 to PC3.

2069: Outbound ICMP echo request (len 64 id 2 seq 59953) 172.25.26.100 > 172.25.26.100 > 10.1.38.11

2070: Outbound ICMP echo request (len 64 id 2 seq 61745) 172.25.26.100 > 172.25.26.100 > 10.1.38.11

.....

4. PIX520 configuration.

access-list 100 permit ip 10.1.0.0 255.255.0.0 10.1.38.0 255.255.255.0

access-list 100 permit ip 172.25.26.0 255.255.255.0 10.1.38.0 255.255.255.0

!

ip address outside x.x.x.1 255.255.255.224

ip address inside 10.1.202.2 255.255.255.0

!

global (outside) 1 x.x.x.2

nat (inside) 0 access-list 100

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

!

route outside 10.1.38.0 255.255.255.0 x.x.x.3 1

route inside 172.25.26.0 255.255.255.0 10.1.202.1 1

!

crypto ipsec transform-set strong-des esp-des esp-sha-hmac

crypto dynamic-map cisco 4 set transform-set strong-des

isakmp enable outside

isakmp key ******** address 0.0.0.0 netmask 0.0.0.0

......

5. PIX501 configuration

access-list 101 permit ip 10.1.38.0 255.255.255.0 10.1.0.0 255.255.0.0

access-list 101 permit ip 10.1.38.0 255.255.255.0 172.25.26.0 255.255.255.0

!

ip address outside dhcp setroute

ip address inside 10.1.38.1 255.255.255.0

!

global (outside) 1 interface

nat (inside) 0 access-list 101

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

!

crypto ipsec transform-set strong-des esp-des esp-sha-hmac

crypto map partner-map 10 ipsec-isakmp

crypto map partner-map 10 match address 101

crypto map partner-map 10 set peer x.x.x.1

crypto map partner-map 10 set transform-set strong-des

crypto map partner-map interface outside

isakmp enable outside

isakmp key ******** address x.x.x.1 netmask 255.255.255.255

.....

1 REPLY
New Member

Re: cannot access the remote PIX501 attached station from inside

Call the TAC on this, its beyond the scope of the forum.

79
Views
0
Helpful
1
Replies