Re: [fw-wiz] Problem with PIX-to-PIX VPN and more networks

Hello Petr.

I was checking your config, but you only specified from one end-point. As you know, you should have another access-list in the other pix (PIX501) like this:
access-list XX permit ip
access-list XX permit ip

It would be helpful if you can attach the pix 501 config (vpn related)


Petr Vyhnal wrote:

Hi all,

I have strange problem. I have two PIXes (501 and 506E) with VPN tunnel. LAN structure is like that:

LAN1 ( - PIX506 (inside - Inet (VPN) - PIX501 (inside - LAN2 ( - Linux router (nonat, on PIX's side iface and on LAN3 side iface) - LAN3 (

Crypto tunnel is working, but only for one network at the moment. So if ping works from to I can't ping from to and vice versa. But on both rules in acl 101 I can see growing hits when I pinging to both networks at same time. Even if only pings to one network at the moment are going to crypto tunnel and pings to second network are going directly to internet and they are rejected by gateway as unreachable. Does anybody have any idea how to fix it?

PIX506 config (VPN part):

access-list 101 permit ip
access-list 101 permit ip
nat (inside) 0 access-list 101
sysopt connection permit-ipsec
crypto ipsec transform-set MYVPN esp-3des esp-md5-hmac
crypto map MYMAP 1 ipsec-isakmp
crypto map MYMAP 1 match address 101
crypto map MYMAP 1 set peer
crypto map MYMAP 1 set transform-set MYVPN
crypto map MYMAP interface outside
isakmp enable outside
isakmp key ******** address netmask
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 1000

Thanx Rudiik
firewall-wizards mailing list

firewall-wizards mailing list

Relevant Pages

  • Backup Interface using Tunnel
    ... I would need to configure a Tunnel interface. ... crypto map mymap 10 match address 110 ... isakmp policy 10 authentication pre-share ...
  • Multiple IPsec VPNs between PIX
    ... PIX at HQ: ... crypto map MYMAP 100 match address to_branch1 ... isakmp policy 1 authentication pre-share ... IPSEC VPN Tunnels between branch1 and branch2. ...
  • Re: Cisco VPN client access to PIX501s internal network
    ... isakmp policy 10 authentication pre-share ... fixup protocol dns maximum-length 512 ... crypto map mymap 10 match address 101 ... crypto map mymap 10 set transform-set vpnlanset ...
  • Re: Site to Site VPN between 501s with Overlapping Private subnets
    ... Well, I do not have an exact example, but other than the VPN commands, ... isakmp policy 10 authentication pre-share ... Policy NAT access-list - specify conditions under which to NAT for ... crypto map mymap 20 match address vpnnat ...
  • Re: Pix-to-Pix & Internet
    ... You must configure the PIX to translate your inside-to-internet ... global 1 interface ... crypto map mymap 21 set peer ... isakmp policy 21 authentication pre-share ...