Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PIX to PIX VPN

I setup to 515 Pixs to create a VPN between them. It all works fine when I tested it on two routers connected back to back. When I connect my pixs on two internet connections and try to establish a VPN I can't. One of the ISPs changed the access list on the router and the other router is without any access list. Please if anybody can help.

Henk

2 REPLIES
New Member

Re: PIX to PIX VPN

I would suggest starting with Configs and debugs in this situation. If it worked back-to-back in the lab, you better look harder at the ISP. Have them check their access-lists for IP protocol 50 & 51 blocking. Remember, if there’s an access list at all, and there’s no permit statement, there is an implicit deny. Usually ISP’s don’t run access-lists and leave all the filtering up to their customers. If they are sure they are not blocking anything, I'd suggest opening a TAC case.

New Member

Re: PIX to PIX VPN

Hi Henk,

First determine if the two devices can ping each other. Use the debug packet commmand on each PIX to verify if the traffic is making it past your access router. Also make sure you changed your default route to the next hop which appear to be your ISP routers. You also need to create a static entry in your router allowing traffic to go from the lower security interface (outside) to the higher one (inside). It may be easier just to enter the command "sysopt conection permit ipsec".

137
Views
0
Helpful
2
Replies
CreatePlease login to create content