Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Site to Site VPN access to WAN Subnet

We currently have a number of site-to-site VPN solutions setup. We have one particular remote office setup that is experiencing problems accessing one of our other subnets. We are the host VPN location using a PIX 515e version 6.1(2) and the new remote site is using a PIX 501 version 6.2(2). They can access everything on my subnet 192.168.X.X, but when pinging our main location 172.16.X.X they receive "request time out". There are 2 cisco 2600 routers that connect our location to the main location via frame and we have added everything I know to allow our new site to access our location and the main location on "our" pix and router. I have contacted our WAN Analyst at the main office and instructed him that he needed add the new remote site subnet to their router, but he say's it won't work. My thought.... NO WAY. That's why it's a router and the PIX shouldn't matter as long as you have the access list to allow. Need suggestions or confirmation I'm on the right path.


Cisco Employee

Re: Site to Site VPN access to WAN Subnet

So the 192.168.x.x and the 172.16.x.x are both behind your 515e. If so, you need to define both subnets in your crypto access-list on the 515e (as the source networks) and on the remote 501 (as the remote networks).

Also make sure the router that connects to the 172.16.x.x network has a route to the network behind the remote 501, that eventually points to teh inside interface of the 515e. So, your WAN analyst doesn't need to add the remote site subnet to his/her router, but they do need to add a route to that network on their router. If you don't have this you're never going to be able to connect.