Re: Pix 501 to Pix 501 VPN Issue
- From: roberson@xxxxxxxxxxxxxxxxxx (Walter Roberson)
- Date: Thu, 29 Dec 2005 18:07:59 +0000 (UTC)
In article <1135793185.124920.42400@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>,
<jamesdeva@xxxxxxxxx> wrote:
:I have a strange question. We are trying to use 2 Pix 501's to secure
:traffic between 2 wireless access points.
:I can get the tunnel to come up with no problem, but no traffic will
:pass between the 2 inside interfaces.
:PIX Version 6.3(5)
:access-list 80 permit ip 10.16.0.0 255.255.0.0 10.16.2.0 255.255.255.0
:ip address outside 10.16.1.2 255.255.255.0
:ip address inside 10.16.0.221 255.255.0.0
Your inside network is 10.16/16 and your outside network is
10.16.1/24 which is a subnet of your inside network. You should
not expect that to work.
:nat (inside) 0 access-list 80
Your inside network is 10.16/16 and your nat 0 access-list implies
that you will be attempting to communicate with 10.16.2/24 . You
should not expect that to work.
:sysopt connection permit-ipsec
Okay, that explains why you don't have any outside access lists.
:crypto map toRemotePix 10 match address 80
:crypto map toRemotePix 10 set peer 10.16.1.1
There are not many situations on the PIX in which you can
safely reuse an access list. You should copy the contents of
the access list under a different name and use that as ACL
for "match address" purposes. PIX 6.x software may internally
modify ACLs for its own purposes. Some of the instances of
that are documented, but others are not.
Small note: on the PIX, you do not need to use numbers as the
ACL labels, you can use names such as "tunnel_acl" instead.
--
Prototypes are supertypes of their clones. -- maplesoft
.
- References:
- Pix 501 to Pix 501 VPN Issue
- From: jamesdeva
- Pix 501 to Pix 501 VPN Issue
- Prev by Date: Re: Issue with Checkpoint Firewall
- Next by Date: Re: How to prevent malware from running on your PC
- Previous by thread: Pix 501 to Pix 501 VPN Issue
- Next by thread: Firewall rules ~ Fresh XP install
- Index(es):
Relevant Pages
|
