Hi All: I'm trying to follow Cisco's example for setting up a site-to-site VPN between two pix. Here's my config:
Pix 1 access-list 90 permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0 ip address outside [PIX 1 outside IP] 255.255.255.248 pppoe setroute ip address inside 192.168.0.254 255.255.255.0 global (outside) 1 interface nat (inside) 0 access-list 90 nat (inside) 1 0.0.0.0 0.0.0.0 0 0 sysopt connection permit-ipsec crypto ipsec transform-set vpnset esp-3des esp-md5-hmac crypto dynamic-map vpnmap 100 set transform-set vpnset crypto map vpnmap 100 ipsec-isakmp dynamic vpnmap crypto map toPix2 20 ipsec-isakmp crypto map toPix2 20 match address 90 crypto map toPix2 20 set peer 209.216.245.242 crypto map toPix2 20 set transform-set vpnset crypto map toPix2 interface outside isakmp enable outside isakmp key ******** address [PIX 2 outside IP] netmask 255.255.255.255 isakmp nat-traversal 20 isakmp policy 20 authentication pre-share isakmp policy 20 encryption 3des isakmp policy 20 hash md5 isakmp policy 20 group 2 isakmp policy 20 lifetime 86400
Pix 2 access-list 80 permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0 ip address outside [PIX 2 outside IP] 255.255.255.248 ip address inside 192.168.1.1 255.255.255.0 global (outside) 1 interface nat (inside) 0 access-list 80 nat (inside) 1 0.0.0.0 0.0.0.0 0 0 crypto ipsec transform-set vpnset esp-3des esp-md5-hmac crypto map toPIX1 10 ipsec-isakmp crypto map toPIX1 10 match address 80 crypto map toPIX1 10 set peer 69.0.0.214 crypto map toPIX1 10 set transform-set vpnset crypto map toPIX1 interface outside isakmp enable outside isakmp key ******** address [PIX 1 outside IP] netmask 255.255.255.255 no-xauth no-config-mode isakmp policy 8 authentication pre-share isakmp policy 8 encryption 3des isakmp policy 8 hash sha isakmp policy 8 group 1 isakmp policy 8 lifetime 86400
Can anyone tell me what's wrong? I can't ping a machine in the PIX2 subnet from PIX1 subnet and vice versa.