Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

IP route command


Can anybody tell me that how 2 pix devices communicate with each other?

Actually I tried to create pix-to-pix tunnel using pre-share key but when I tried to ping peer host it gave error message that no route exist.

Nothing came when i gave :

# show crypto isakmp sa

it was blank.

I also created router-to-router tunnel and it worked fine... there is one more confusion that what is the difference between router-to-router and pix-to-pix tunnel. In which scenarios we should create one?

Can you please give me some guidance?



Re: IP route command

Here is an example config:

PIX Firewall configuration version 6.3.3

PIX> enable

PIX# configure terminal

If there is more control needed or there is no sysopt connection permit-ipsec then use acces-list acs-outside.

PIX(config)# sysopt connection permit-ipsec


PIX(config)# access-list acs-outside permit udp host VPNPeer host MyPublicIP eq isakmp

PIX(config)# access-list acs-outside permit esp host VPNPeer host MyPublicIP

PIX(config)# access-list acs-outside permit ah host VPNPeer host MyPublicIP

PIX(config)# access-group acs-outside in interface outside

STEP 1 - Configure IKE

PIX(config)# isakmp enable outside

PIX(config)# isakmp policy 10 authentication pre-share

PIX(config)# isakmp policy 10 encryption 3des

PIX(config)# isakmp policy 10 hash md5

PIX(config)# isakmp policy 10 group 2

PIX(config)# isakmp policy 10 lifetime 86400

PIX(config)# Isakmp identity address

PIX(config)# isakmp key your-vpn-password address PEER-IP netmask

STEP 2 - Configure IPSEC

PIX(config)# access-list NONAT permit ip Internalnet ISubnet Externalnet Esubnet

PIX(config)# global (outside) 1 interface

PIX(config)# nat (inside) 0 access-list NONAT

PIX(config)# nat (inside) 1 0 0

PIX(config)# access-list VPN permit ip Internalnet ISubnet Externalnet ESubnet

PIX(config)# crypto ipsec transform-set TRANS esp-des esp-md5-hmac

PIX(config)# crypto map REMOTE 10 ipsec-isakmp

PIX(config)# crypto map REMOTE 10 match address VPN

PIX(config)# crypto map REMOTE 10 set peer PEER-IP

PIX(config)# crypto map REMOTE 10 set transform-set TRANS

PIX(config)# crypto map REMOTE interface outside

PIX(config)# sysopt connection permit-ipsec

Description: This command permits IPSEC traffic trough the PIX without an ACL comment statement

See also:

Cisco PIX Firewall and VPN Configuration Guide, Version 6.3:



New Member

Re: IP route command

I tried the way you told me but when I tried to ping the peer system its giving me error message that there is not route available. Now I could not understand one thing that do we need to setup any root command to communicate 2 peers? And another question is that in which case we use sysopt command? can you give me some live examples??

My configuration is like that...