I'm getting ready to chuck these PIX 515e firewalls!
I'm at my wit's end.
Both are running Cisco PIX Security Appliance Software Version 7.0(5)
Network is set up as follows:
10.1.x.x Internet Connection 10.3.x.x Serial T1 10.1.x.x 10.10.x.x Serial T1 10.1.x.x 10.11.x.x VPN Connection to 10.1.x.x10.2.x.x Internet Connection
10.6.x.x Land to LAN 10.2.x.xI've done something similar though I broke it down to Location object-group network NETWORK-OLIVET-ALL network-object 10.11.0.0 255.255.0.0 object-group network NETWORK-SF-VPN network-object 10.2.0.0 255.255.0.0 network-object 10.6.0.0 255.255.0.0 object-group network NETWORK-HBG-VPN network-object 10.1.0.0 255.255.0.0 network-object 10.3.0.0 255.255.0.0 network-object 10.10.0.0 255.255.0.0
NETWORK-OLIVET-ALL and NETWORK-HBG-VPN are on 'Inside' NETWORK-SF-VPN is at 'peer'
'Inside' PIX has the Following access-list inside_nat extended permit ip object-group NETWORK-OLIVET-ALL object-group NETWORK-SF-VPN access-list inside_nat extended permit ip object-group NETWORK-HBG-VPN object-group NETWORK-SF-VPN access-list outside-HBG_cryptomap_40 extended permit ip object-group NETWORK-HBG-VPN object-group NETWORK-SF-VPN access-list outside-HBG_cryptomap_40 extended permit ip object-group NETWORK-OLIVET-ALL object-group NETWORK-SF-VPN access-list outside-HBG_cryptomap_20 extended permit ip object-group NETWORK-HBG-VPN object-group NETWORK-SF-VPN access-list outside-HBG_cryptomap_20 extended permit ip object-group NETWORK-OLIVET-ALL object-group NETWORK-SF-VPN access-list outside-HBG_nat0_inbound extended permit ip object-group NETWORK-HBG-VPN object-group NETWORK-SF-VPN access-list outside-HBG_nat0_inbound extended permit ip object-group NETWORK-OLIVET-ALL object-group NETWORK-SF-VPN access-list outside-HBG_nat0_outbound extended permit ip object-group NETWORK-HBG-VPN object-group NETWORK-SF-VPN access-list outside-HBG_nat0_outbound extended permit ip object-group NETWORK-OLIVET-ALL object-group NETWORK-SF-VPN
'Peer' Pix has the Following: access-list inside_nat extended permit ip object-group NETWORK-SF-VPN object-group NETWORK-HBG-VPN access-list inside_nat extended permit ip object-group NETWORK-SF-VPN object-group NETWORK-OLIVET-ALL access-list outside-SF_nat0_outbound extended permit ip object-group NETWORK-SF-VPN object-group NETWORK-HBG-VPN access-list outside-SF_nat0_outbound extended permit ip object-group NETWORK-SF-VPN object-group NETWORK-OLIVET-ALL access-list outside-SF_cryptomap_20 extended permit ip object-group NETWORK-SF-VPN object-group NETWORK-HBG-VPN access-list outside-SF_cryptomap_20 extended permit ip object-group NETWORK-SF-VPN object-group NETWORK-OLIVET-ALL access-list outside-SF_nat0_inbound extended permit ip object-group NETWORK-SF-VPN object-group NETWORK-HBG-VPN access-list outside-SF_nat0_inbound extended permit ip object-group NETWORK-SF-VPN object-group NETWORK-OLIVET-ALL access-list charlie_tunnel extended permit ip object-group NETWORK-SF-VPN object-group NETWORK-HBG-VPN access-list charlie_tunnel extended permit ip object-group NETWORK-SF-VPN object-group NETWORK-OLIVET-ALL
So here is my issue
10.2.x.x can see 10.6.x.x, 10.1.x.x , 10.11.x.x , 10.3.x.x 10.10.x.x Great it can see all 10.11.x.x can see 10.6.x.x, 10.1.x.x , 10.2.x.x , 10.3.x.x 10.10.x.x Great it can see all 10.3.x.x can see 10.6.x.x, 10.1.x.x , 10.2.x.x , 10.11.x.x 10.10.x.x Great it can see all 10.10.x.x can see 10.6.x.x, 10.1.x.x , 10.2.x.x , 10.3.x.x 10.11.x.x Great it can see all 10.6.x.x can see 10.2.x.x, 10.3.x.x, 10.10.x.x, 10.11.x.x It cannot see 10.1.x.x10.1.x.x can see 10.2.x.x, 10.3.x.x, 10.10.x.x, 10.11.x.x It cannot see 10.6.x.x
10.2.x.x is connected to 10.6.x.x by a Netopia, I do not think that it is the issue as 10.6.x.x can see across the PIX to PIX VPN, then from the Remote Office PIX to PIX VPN to the 10.11.x.x network. So its hairpining at the 10.1.x.x to get to 10.11.How can I trace the traffic to see where its being dropped?
Thanks, Scott