site to site vpn using cisco pix 501's

I'm having the worst time trying to get a site to site VPN set up between two pix 501's any pointers would be super helpful here, I've tried so many things and this is my last resort. The tunnel comes up but I cannot access any devices on the remote lans.

here is a config from one of the pix's, unsanitized for utmost clarity.

PIX Version 6.3(3) interface ethernet0 auto interface ethernet1 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KYOU encrypted hostname breda domain-name fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names name remote_site_lan access-list inside_outbound_nat0_acl permit ip remote_site_lan access-list outside_cryptomap_20 permit ip remote_site_lan pager lines 24 mtu outside 1500 mtu inside 1500 ip address outside ip address inside ip audit info action alarm ip audit attack action alarm pdm location remote_site_lan outside pdm logging informational 100 pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list inside_outbound_nat0_acl nat (inside) 1 0 0 route outside 1 timeout xlate 0:05:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server LOCAL protocol local http server enable http inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto map outside_map 20 ipsec-isakmp crypto map outside_map 20 match address outside_cryptomap_20 crypto map outside_map 20 set peer crypto map outside_map 20 set transform-set ESP-3DES-MD5 crypto map outside_map interface outside isakmp enable outside isakmp key ******** address netmask no-xauth no-config-mode isakmp policy 20 authentication pre-share isakmp policy 20 encryption 3des isakmp policy 20 hash md5 isakmp policy 20 group 2 isakmp policy 20 lifetime 86400 telnet timeout 5 ssh timeout 5 console timeout 0 dhcpd address inside dhcpd dns dhcpd lease 3600 dhcpd ping_timeout 750 dhcpd auto_config outside dhcpd enable inside terminal width 80 Cryptochecksum:25109c8532d510c399cab38bfa73424c : end
Reply to
Loading thread data ...

Are the configs the same?

do you have "sysopt connection permit-ipsec" allowed on both sides? do you have the same "nat (inside) 0 access-list inside_outbound_nat0_acl" on both sides and, namely with the source and destination in the ACL inverted?

Maybe the traffic is NATted while it must not be.

To run the test do not use the inside interface of the PIXes but two real PCs on the LANs.


Reply to

To run the test do not use the inside interface of the PIXes but two real PCs on the LANs.

thats the ticket right there, I was trying to test it using the console port. Using real PC's it works.

AM wrote:

both sides and

on the LANs.

Reply to
gsiebrecht Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.