Pix VPN, won't even try to connect...?

I have a client that bought 2 pix 501 units specifically for the vpn connect to another office. They have a split gateway, 2 different ip addresses. The cisco's are meant for secure incoming only.

Now i've set up dozens of these cisco tunnels but these have me tearing my hair out. Normally a 10 minute job to set up the tunnel, but no connection. Been at this for hours and hours now.

Neither of the pix units even try to make an ipsec connection, nothing in the logs. but yet the vpn client software connects to either/or at anytime... I've even tried to cross connect to other cisco's that i've set up.

What the hell am I doing wrong? Is there something I need to turn on here?

Reply to
Loading thread data ...

As a point of order: your email address is not one calculated to encourage strangers to volunteer their time and expertise.

The first sentance appears to contradict the third. Are they meant to connect to another office (i.e., LAN to LAN), or are they meant only to terminate software clients as implied by "incoming only"?

You cannot have two "incoming only" devices connecting to each other: one of the two has to initiate the connection, and that initiation is "outgoing", which would appear to violate the constraint statements.

But there is no need for the PIX to try to make IPSec connections if they are "incoming only".

So in other words, incoming only has been successfully achieved: incoming works and outgoing doesn't.

Please be clearer as to what you are trying to achieve; some details of how you have the tunnels set up would be useful too.

Reply to
Walter Roberson

Maybe I should have been a little clearer... The pix will only be used for secure connections.

The client software works like a charm for incoming connections.

The other connection I need is an ipsec tunnel between offices. There is a cisco on either side. Both pix 501 units, both are 10 licence.

After setting up the tunnel the way I normally do, they do not try to connect to each other. I'm running syslogging to the server, I can see the incoming client connections via ipsec but there is nothing in relation to the site to site ipsec.


Reply to

Okay, that's clearer.

I need the following portions of the configuration to better know what is happening:

- a representation of the IP address ranges for all interfaces (you can obscure them, but there has to be enough info left that there is no question as to whether a given IP belongs to a given interface)

- all the crypto statements, except that the peer IP can be obscured

- all isakmp statements, except passwords and IPs can be obscured

- the entire contents of any ACL mentioned in a crypto match address statement

- all "sysopt connection" statements

- the entire contents of any ACL mentioned in a nat 0 access-list statement

- all static and nat and global statements

- all ip route statements

- all rip statements (if any)

- your "logging trap" statement

I have a speculation about what is happening, but I need most of the above information to be sure.

Reply to
Walter Roberson

Add to Walter's request, some kind of network diagram will be usefull which should be detailed enough to tell what kind of devices are there in the network.


Reply to

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.