Ping Static device behind Pix

pgagnon · ‎11-07-2002

I have a site to site VPN set up. On the remote end is a Pix 501 3DES 10 user.

Inside address is 10.25.99.1 and it is running dhcp for 10.25.99.10 thru 10.25.99.19.

I only have 3 users behind that device. I have a network attached printer that is at 10.25.99.20 and it is not reachable from anywhere except the local lan that has the Pix on it. This limitation should be easy to overcome but I haven't found the solution yet..... any ideas?

hatfieldphilips.com · ‎11-07-2002

I’m not a PIX expert but here is my suggestion. Be sure you aren’t trying to run NAT through your IPSec tunnel and that you are able to send data back and forth between the subnets. You should be able to accomplish this by adding a couple of NAT statements and a simple access-list to route between the networks. See example:

Location #1

nat (inside) 0 access-list 100

nat (inside) 1 192.168.1.0 255.255.255.0 0 0

access-list 100 permit ip 192.168.1.0 255.255.0.0 10.25.99.0 255.255.0.0

Location #2

nat (inside) 0 access-list 100

nat (inside) 1 10.25.99.0 255.255.255.0 0 0

access-list 100 permit ip 10.25.99.0 255.255.255.0 192.168.1.0 255.255.255.0

pgagnon · ‎11-08-2002

That is exactly how I am set up. The only pingable addresses behind the pix 501 are the pc's that lease an address from the pix over dhcp. PC's on that subnet can ping everything inside the subnet, static or otherwise.