Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

Pix to 3640 router

Hi, I have configured a VPN tunnel from a PIX to a Cisco 3640. The problem is I can only initiate the tunnel from the PIX side. Once the IPSec SA is created I can ping from either side, but I can only ping from the PIX side initially.

I've triple checked all access-lists but can't see anything wrong.

Any ideas ?

2 REPLIES
Cisco Employee

Re: Pix to 3640 router

If you are sure about the access-list, it could be some firewalling issue.

Since the tunnel is up from the firewall end, the traffic from the router end can already send to the pix end.

If initiating from router end, it could be being blocked by some firewalling/filter inbound to the pix.

Regards,

New Member

Re: Pix to 3640 router

I have found the problem, the access-lists have to match exactly on both ends.

My access-list read:

Router side:

permit ip 10.128.0.0 0.0.255.255 192.168.80.0 255.255.255.0

PIX side:

permit ip 192.168.80.0 255.255.255.0 10.128.1.0 255.255.255.0

permit ip 192.168.80.0 255.255.255.0 10.128.2.0 255.255.255.0

needed to change it to:

router side:

stayed the same.

pix side:

permit ip 192.168.80.0 255.255.255.0 10.128.0.0 255.255.0.0

Now it works in both directions !

Thanks for your help

87
Views
0
Helpful
2
Replies
CreatePlease to create content