Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PIX-PIX dynamic to static-can pass only one way traffic


I have the following scenario.

int. n/w---PIX(static)===tunnel===PIX(dynamic)---int n/w

PIX Static internal network -

PIX Dynamic internal network -

I ping from to get the replies and my VPN tunnle is up.I move to machine and try to ping network.I see that I can only ping from where i initiated the tunnel and cannot ping any other machines on network.I cannot figure out what is the problem.My nat (0) access list is permiting the complete networks and so is my crypto access-list.

Any suggestions would be helpful.



Cisco Employee

Re: PIX-PIX dynamic to static-can pass only one way traffic

Check that you have the following command in both PIX's:

sysopt connection permit-ipsec

This will tell the PIX to bypass all standard ACL checking of encrypted packets and just let them through. Sounds like the PIX is still following it's standard access rules and only allowing traffic through if it's seen outgoing traffic first.

See for details.

Having said all that, keep in mind that this tunnel will only ever be able to be initiated from the dynamic PIX.

New Member

Re: PIX-PIX dynamic to static-can pass only one way traffic

It may sound strange but make sure your NAT and Crypto lists are not using the same access-list number. From what your describing, I was having the same problem. Check out the following link. It corrected my problem.