Hi,
This problem is giving me some headaches. I hope someone can help me out here.
I've got the following setup :
Internet -- router --- PIX1 ---DSLrouter1-- VPN --DSLrouter2--- PIX2 ----- LAN2 | LAN1
router : 10.194.124.1/27 LAN 1: 10.194.124.0/27 PIX 1 on the inside : 10.194.124.26/27 PIX 1 on the outside : 217.21.245.132/29
PIX 2 on the inside : 10.194.124.193/27 PIX 2 on the outside : 217.21.241.110/24 LAN 2 : 10.194.124.192/27
the router is the gateway to the outside world, so LAN2 uses PIX2 as the default gateway and PIX2 uses router as a gateway (10.194.124.1) LAN1 uses the router as a gateway. On 'router' there's a static route
10.194.124.192/27 > 10.194.124.26 (PIX1).What i see is that i can get traffic from LAN2 to LAN1 and to the router, but not from LAN2 through the router. The router uses NAT on it's external interface. LAN1 works perfect. Did i overlook something overhere??
The configurations:
*** PIX1 ***names name 10.194.124.192 LAN2 access-list nonat permit ip any any access-list nonat permit ip any LAN2 255.255.255.224 access-list outside_cryptomap_20 permit ip any LAN2 255.255.255.224 access-list allow_ping permit icmp any any echo-reply access-list allow_ping permit icmp any any source-quench access-list allow_ping permit icmp any any unreachable access-list allow_ping permit icmp any any time-exceeded ip address outside 217.21.245.132 255.255.255.248 ip address inside 10.194.124.26 255.255.255.224 nat (inside) 0 access-list nonat access-group allow_ping in interface outside route outside 0.0.0.0 0.0.0.0 217.21.245.134 1 floodguard enable sysopt connection permit-ipsec crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto map outside_map 20 ipsec-isakmp crypto map outside_map 20 match address outside_cryptomap_20 crypto map outside_map 20 set peer 217.21.241.110 crypto map outside_map 20 set transform-set ESP-3DES-MD5 crypto map outside_map interface outside isakmp enable outside isakmp key ******** address 217.21.241.110 netmask 255.255.255.255 no-xauth no-config-mode isakmp policy 20 authentication pre-share isakmp policy 20 encryption 3des isakmp policy 20 hash md5 isakmp policy 20 group 2 isakmp policy 20 lifetime 86400
*** PIX2 ***access-list nonat permit ip any any access-list nonat permit ip 10.194.124.192 255.255.255.224 any access-list outside_cryptomap_20 permit ip 10.194.124.192 255.255.255.224 any access-list allow_ping permit icmp any any echo-reply access-list allow_pint permit icmp any any source-quench access-list allow_pint permit icmp any any unreachable access-list allow_pint permit icmp any any time-exceeded ip address outside 217.21.241.110 255.255.255.0 ip address inside 10.194.124.193 255.255.255.224 nat (inside) 0 access-list nonat access-group allow_ping in interface outside route outside 0.0.0.0 0.0.0.0 10.194.124.1 1 route outside 217.21.245.128 255.255.255.248 217.21.241.254 1 floodguard enable sysopt connection permit-ipsec crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto map outside_map 20 ipsec-isakmp crypto map outside_map 20 match address outside_cryptomap_20 crypto map outside_map 20 set peer 217.21.245.132 crypto map outside_map 20 set transform-set ESP-3DES-MD5 crypto map outside_map interface outside isakmp enable outside isakmp key ******** address 217.21.245.132 netmask 255.255.255.255 no-xauth no-config-mode isakmp policy 20 authentication pre-share isakmp policy 20 encryption 3des isakmp policy 20 hash md5 isakmp policy 20 group 2 isakmp policy 20 lifetime 86400
Thanks in advance,
Remco