1. Home
  2. Cisco Systems
  3. Changed Inside IP subnet on PIX 501, cant VPN to PIX 515

Changed Inside IP subnet on PIX 501, cant VPN to PIX 515

So I have a PIX 501 that I configured to use the 10.14.0.0/16 subnet. Outside Interface is DHCP, ComCast Internet All is well, connects, traffic passes and we are good.

I have a 1600 series router with Firewall IOS, that I configured to use the

10.11.0.0/16 subnet Outside interface it DHCP/PPPoE, AT&T DSL Internet All is well, connects, traffic passes and we are good.

Both are connected via preshared-keys, DefaultRAGroup. All of the ACLs include both 10.11.0.0/16 subnet and 10.14.0.0/16 subnet

So I want to Replace the Router with the PIX. I Disconnect the Router, Reconfigure PIX with 10.11.0.0/16 addresses. Reboot everything so the MAC addresses are flushed and it wont connect.

I've turned on all the debugging on the 501 PIX and its like its not seeing any Interesting traffic to initiate the VPN Link.

doing the show cry map, I see the ACL with the Source/Dest Subnets and they are correct. though the hitcnt is 0

Seems like if there was an Issue on the PIX 515 side not liking the new client on the old subnet at least I would see the connection attempt on the PIX 501 side..

Suggestions?

Scott

Reply to
Scott Townsend
Loading thread data ...

If I understand you correctly, the 1600 router is being swapped out for a PIX 501. The PIX 501 should create a VPN connection to a PIX 515. You are not seeing any hits on the PIX 501.

Other than post a config, my initial guess would be to check your No NAT. You should be seeing hits on your crypto ACL's, if not this would tend to suggest that the address you are coming from is incorrect.

Remember NAT happens before encryption. You need to ensure you exempt you network from NAT first. You will then have a matching crypto acl for encrypting the traffic after NO-NAT/ NAT, do not use the same ACL for both.

Post your config anyway.

Regards

Darren

Reply to
Darren Green

What looks like happened and I'm not sure how. was my nat (inside) 0 was wipped out. )-;

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 10.11.0.0 255.255.0.0 0 0

I reconfigured the unit back with the 10.44.0.0/16 addressing config and it worked again. So I went through the 2 Configs line by line. the

10.11.0.0/16 was missing the nat (inside) 0 statement.

Thanks!

So for my Next trick is to get the 1600 as a backup. Hav>> So I have a PIX 501 that I configured to use the 10.14.0.0/16 subnet.

Reply to
Scott Townsend

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.