Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PIX 501 VPN SITE TO SITE

My VPN go up only if i ping from a specific side.

If i ping from the other side the VPN don't go UP and the message is MM_NOSTATE

The good side is pix.txt conf

The bad side is pixe.txt conf

4 REPLIES
Hall of Fame Super Blue

Re: PIX 501 VPN SITE TO SITE

Hi

Your crypto map access-lists don't match ie.

pix.txt

access-list bsns_out permit ip 14.1.0.0 255.255.255.0 10.20.0.0 255.255.255.0

access-list bsns_out permit ip 14.1.0.0 255.255.255.0 192.168.1.0 255.255.255.0

pixe.txt

access-list bsns_out permit ip 10.20.0.0 255.255.255.0 14.1.0.0 255.255.255.0

access-list bsns_out permit ip 10.20.0.0 255.255.255.0 14.2.0.0 255.255.255.0

These should match and you will need to ensure that your nonat access-lists match this as well.

Jon

New Member

Re: PIX 501 VPN SITE TO SITE

Sorry why don't match ?

pix.txt

14.1.0.0 is internal lan

10.20.0.0 is external lan (destination)

192.168.1.0 is outside int of pixe.txt

pixe.txt

10.20.0.0 is internal lan

14.1.0.0 is external lan (destination)

14.2.0.0 is outside int of pix.txt

Hall of Fame Super Blue

Re: PIX 501 VPN SITE TO SITE

They don't match because crypto access-lists should just be the reverse of each so

update you access-lists as follows

pix.txt

access-list bsns_out permit ip 14.1.0.0 255.255.255.0 10.20.0.0 255.255.255.0

access-list bsns_out permit ip 14.1.0.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list bsns_out permit ip 14.2.0.0 255.255.255.0 10.20.0.0 255.255.255.0

pixe.txt

access-list bsns_out permit ip 10.20.0.0 255.255.255.0 14.1.0.0 255.255.255.0

access-list bsns_out permit ip 10.20.0.0 255.255.255.0 14.2.0.0 255.255.255.0

access-list bsns_out permit ip 192.168.1.0 255.255.255.0 14.1.0.0 255.255.255.0

Also where are you connecting from/to when it works and when it doesn't work ?

Jon

New Member

Re: PIX 501 VPN SITE TO SITE

Thanks very much

133
Views
0
Helpful
4
Replies