1. Home
  2. Cisco Systems
  3. 2 x PIX 506E's and an 837

2 x PIX 506E's and an 837

Help please.

I have spent most of the day putting together what I considered was a very simple config. I have 2 x PIX 506's connected into the 4 port switch on the back of a Cisco 837.

I wanted to create a tunnel between both PIX's. My IP scheme is as follows:

PIX1 Inside - 10.1.0.0 /24 PIX1 Outside - 80.X.X.X /29

PIX2 Inside - 10.2.0.0/24 PIX2 Outside - 80.X.X.X/29

837 - Ethernet 0 -80.X.X.X/29 Dialer0 - IP Unnumbered Ethernet0 NB I put static routes on the 837 to the PIX1 and PIX 2 LAN addresses.

On the PIX's I believe that I have done everything in the correct way. The content has been omitted because it's the access-list that's the problem. I am not seeing any hit-counts - The statement on PIX1 (reveresed for PIX 2) is as follows:

access-list traffic permit ip 10.1.0.0 255.255.255 10.2.0.0 255.255.255.0

The pre-shared keys, DH group, encryption, peer addresses, Crypto map statements etc for ISAKMP / IPSEC all appear to be OK.

Is there an issue with using an 837 in this config.

Regards

-- Darren Green

Reply to
Darren Green
Loading thread data ...

In article , Darren Green wrote: :I have 2 x PIX 506's connected into the 4 port switch on the :back of a Cisco 837.

:The statement on PIX1 (reveresed for PIX 2) :is as follows:

:access-list traffic permit ip 10.1.0.0 255.255.255 10.2.0.0 255.255.255.0

Is that a typo? You have missed one of the octets on the mask after 10.1.0.0 .

Have you made sure to nat 0 access-list the traffic between the two? If not then the crypto 'match address' ACL is never going to match, because the 'match address' ACL is examined *after* translation: if you haven't exempted the traffic from translation then the source IP that the crypto map would see would be the 'global' address.

Reply to
Walter Roberson

Walter,

Thank you for your reply so quickly.

access-list traffic permit ip 10.1.0.0 255.255.255 10.2.0.0 255.255.255.0

A- Yes it's a typo, I thought that I had double checked it.

A- I had originally put in the commands: nat (inside) 1 etc and global (outside) 1 interface. I ended up taking them off in the end during the troubleshooting phase. I completely overlooked the nat 0 command - appreciate the pointer.

Regards

Darren

Reply to
Darren Green

have you got a static translation configured to allow each network to address the other?

Regards

Reply to
Carl

I didn't have a static translation but I did get the opportunity to enter the nat 0 command and everything is now working fine.

Thanks for the replies.

Regards

Darren

255.255.255.0
Reply to
Darren Green

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.