I have the following setup
10.3.0.0 10.1.0.0 Internet 10.2.0.0I can talk from
10.1.0.0 to 10.3.0.0 10.3.0.0 to 10.1.0.0 10.1.0.0 to 10.2.0.0 10.2.0.0 to 10.1.0.0I'd like to be able to talk from
10.2.0.0 to 10.3.0.0 10.3.0.0 to 10.2.0.0Seems that my Packet leaving 10.3.0.0 Hit the PIX on 10.1.0.0 but it does not know to send it over the VPN Link
How does routing work over a VPN?
Trace route from 10.2.0.0 to 10.3.0.0 dies at PIX B
Traceroute from 10.3.0.0 to 10.2.0.0 Dies at PIX A
Both PIXs are set up similar to this:
access-list inside_nat extended permit ip 10.2.0.0 255.255.0.0 10.1.0.0
255.255.0.0 access-list inside_nat extended permit ip 10.2.0.0 255.255.0.0 10.3.0.0 255.255.0.0access-list outside-SF_nat0_outbound extended permit ip 10.2.0.0 255.255.0.0
10.1.0.0 255.255.0.0 access-list outside-SF_nat0_outbound extended permit ip 10.1.0.0 255.255.0.0 10.2.0.0 255.255.0.0 access-list outside-SF_nat0_outbound extended permit ip 10.1.0.0 255.255.0.0 10.3.0.0 255.255.0.0 access-list outside-SF_nat0_outbound extended permit ip 10.3.0.0 255.255.0.0 10.1.0.0 255.255.0.0 access-list outside-SF_nat0_outbound extended permit ip 10.2.0.0 255.255.0.0 10.3.0.0 255.255.0.0 access-list outside-SF_nat0_outbound extended permit ip 10.3.0.0 255.255.0.0 10.2.0.0 255.255.0.0access-list outside-SF_nat0_inbound extended permit ip 10.2.0.0 255.255.0.0
10.1.0.0 255.255.0.0 access-list outside-SF_nat0_inbound extended permit ip 10.1.0.0 255.255.0.0 10.2.0.0 255.255.0.0 access-list outside-SF_nat0_inbound extended permit ip 10.1.0.0 255.255.0.0 10.3.0.0 255.255.0.0 access-list outside-SF_nat0_inbound extended permit ip 10.3.0.0 255.255.0.0 10.1.0.0 255.255.0.0 access-list outside-SF_nat0_inbound extended permit ip 10.2.0.0 255.255.0.0 10.3.0.0 255.255.0.0 access-list outside-SF_nat0_inbound extended permit ip 10.3.0.0 255.255.0.0 10.2.0.0 255.255.0.0access-list outside-SF_cryptomap_20 extended permit ip 10.2.0.0 255.255.0.0
10.3.0.0 255.255.0.0 access-list outside-SF_cryptomap_20 extended permit ip 10.3.0.0 255.255.0.0 10.2.0.0 255.255.0.0 access-list outside-SF_cryptomap_20 extended permit ip 10.1.0.0 255.255.0.0 10.2.0.0 255.255.0.0 access-list outside-SF_cryptomap_20 extended permit ip 10.2.0.0 255.255.0.0 10.1.0.0 255.255.0.0 access-list outside-SF_cryptomap_20 extended permit ip 10.1.0.0 255.255.0.0 10.3.0.0 255.255.0.0 access-list outside-SF_cryptomap_20 extended permit ip 10.3.0.0 255.255.0.0 10.1.0.0 255.255.0.0access-list charlie_tunnel extended permit ip 10.2.0.0 255.255.0.0 10.1.0.0
255.255.0.0 access-list charlie_tunnel extended permit ip 10.1.0.0 255.255.0.0 10.2.0.0 255.255.0.0 access-list charlie_tunnel extended permit ip 10.1.0.0 255.255.0.0 10.3.0.0 255.255.0.0 access-list charlie_tunnel extended permit ip 10.3.0.0 255.255.0.0 10.1.0.0 255.255.0.0 access-list charlie_tunnel extended permit ip 10.2.0.0 255.255.0.0 10.3.0.0 255.255.0.0 access-list charlie_tunnel extended permit ip 10.3.0.0 255.255.0.0 10.2.0.0 255.255.0.0nat (outside-SF) 0 access-list outside-SF_nat0_outbound nat (outside-SF) 0 access-list outside-SF_nat0_inbound outside nat (inside-SF) 0 access-list inside_nat nat (inside-SF) 1 10.2.0.0 255.255.0.0 nat (dmz-sf) 0 access-list dmz-sf_nat0_outbound access-group acl_outside in interface outside-SF route outside-SF 0.0.0.0 0.0.0.0 1
group-policy charlie internal group-policy charlie attributes split-tunnel-policy tunnelspecified split-tunnel-network-list value charlie_tunnel
crypto map outside-SF_map 20 match address outside-SF_cryptomap_20