Greetings, I recently tried to get a customer site up via a PIX to PIX l2l VPN. I'll start with the issue that did not work after we gave up on the initial issue...Site A already has a site to site with Site B. Not all the networks needed are going across it. VPN config stuff....
---Site A--- access-list outside_crypto_map_13 permit ip 172.20.8.0 255.255.252.0
172.20.0.0 255.255.252.0 access-list outside_crypto_map_13 permit ip 172.20.12.0 255.255.255.0 172.20.0.0 255.255.252.0 access-list outside_crypto_map_13 permit ip 172.21.8.0 255.255.252.0 172.20.0.0 255.255.252.0 access-list nonat permit ip 172.20.8.0 255.255.252.0 172.20.0.0 255.255.252.0 access-list nonat permit ip 172.20.12.0 255.255.255.0 172.20.0.0 255.255.252.0 access-list nonat permit ip 172.21.8.0 255.255.252.0 172.20.0.0 255.255.252.0 nat (inside) 0 access-list nonat sysopt connection permit-ipsec crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto map outside_map 13 ipsec-isakmp crypto map outside_map 13 match address outside_crypto_map_13 crypto map outside_map 13 set pfs group2 crypto map outside_map 13 set peer 1.1.1.1 crypto map outside_map 13 set transform-set ESP-3DES-SHA crypto map outside_map interface outside isakmp enable outside isakmp key ******** address 1.1.1.1 netmask 255.255.255.255 isakmp identity address isakmp policy 10 authentication pre-share isakmp policy 10 encryption 3des isakmp policy 10 hash sha isakmp policy 10 group 2 isakmp policy 10 lifetime 86400---Site B--- access-list nonat permit ip 172.20.0.0 255.255.252.0 172.20.16.0
255.255.252.0 access-list nonat permit ip 172.21.0.0 255.255.252.0 172.21.16.0 255.255.252.0 access-list nonat permit ip 172.20.0.0 255.255.252.0 172.20.216.0 255.255.255.0 access-list nonat permit ip 172.20.0.0 255.255.252.0 172.20.8.0 255.255.252.0 access-list nonat permit ip 172.20.0.0 255.255.252.0 172.21.16.0 255.255.252.0 access-list nonat permit ip 172.20.0.0 255.255.252.0 172.20.12.0 255.255.255.0 access-list nonat permit ip 172.20.0.0 255.255.252.0 172.21.8.0 255.255.252.0 access-list outside_crypto_map_11 permit ip 172.20.0.0 255.255.252.0 172.20.8.0 255.255.252.0 access-list outside_crypto_map_11 permit ip 172.20.0.0 255.255.252.0 172.20.12.0 255.255.255.0 access-list outside_crypto_map_11 permit ip 172.20.0.0 255.255.252.0 172.21.8.0 255.255.252.0 sysopt connection permit-ipsec crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto map outside_map 11 ipsec-isakmp crypto map outside_map 11 match address outside_crypto_map_11 crypto map outside_map 11 set pfs group2 crypto map outside_map 11 set peer 2.2.2.2 crypto map outside_map 11 set transform-set ESP-3DES-SHA crypto map outside_map interface outside isakmp enable outside isakmp key ******** address 2.2.2.2 netmask 255.255.255.255 isakmp identity address isakmp policy 10 authentication pre-share isakmp policy 10 encryption 3des isakmp policy 10 hash sha isakmp policy 10 group 2 isakmp policy 10 lifetime 86400In the above configuration....site a can talk to the 172.20.x.x networks with no problems. Site B can talk to Site A via it's 172.20 network no problem. After I could not get Site A to talk to Site B and C properly, I reverted to just working on A to B/B to A comms. We want site A networks to talk to the site Bs 172.21.x.x networks. So, I thought since there was an existing tunnel that worked, I'd just modify the crypto maps and nat 0 statements. Something like...
Site A access-list outside_crypto_map_13 permit ip 172.21.8.0 255.255.252.0
172.21.0.0 255.255.252.0 access-list outside_crypto_map_13 permit ip 172.21.8.0 255.255.252.0 172.21.20.0 255.255.252.0access-list nonat permit ip 172.20.8.0 255.255.252.0 172.16.0.0
255.255.240.0 access-list nonat permit ip 172.20.12.0 255.255.255.0 172.16.0.0 255.255.240.0 access-list nonat permit ip 172.21.8.0 255.255.252.0 172.16.0.0 255.255.240.0 !There is more stuff, but in this case 172.21.8.x should be able to talk to any 172.16.x.x network at site BSite B access-list outside_crypto_map_11 permit ip 172.21.0.0 255.255.252.0
172.20.8.0 255.255.252.0 access-list outside_crypto_map_11 permit ip 172.21.0.0 255.255.252.0 172.20.12.0 255.255.255.0 access-list outside_crypto_map_11 permit ip 172.21.0.0 255.255.252.0 172.21.8.0 255.255.252.0 access-list nonat permit ip 172.21.0.0 255.255.252.0 172.20.8.0 255.255.252.0 access-list nonat permit ip 172.21.0.0 255.255.252.0 172.21.8.0 255.255.252.0If I'm not mistaken, 172.21.8.x should freely be able to talk to 172.21.0.x and vice-versa. There should be no reason why not. Any suggestions? The other part of this setup is a different store.