Re: PIX-PIX dynamic to static-can pass only one way traffic

vrathi · ‎09-17-2003

Hi

I have the following scenario.

int. n/w---PIX(static)===tunnel===PIX(dynamic)---int n/w

PIX Static internal network - 192.168.1.0/24

PIX Dynamic internal network - 192.168.2.0/24

I ping from 192.168.2.2 to 192.168.1.2.I get the replies and my VPN tunnle is up.I move to 192.168.1.2 machine and try to ping 192.168.2.0 network.I see that I can only ping 192.168.2.2 from where i initiated the tunnel and cannot ping any other machines on 192.168.2.0 network.I cannot figure out what is the problem.My nat (0) access list is permiting the complete networks and so is my crypto access-list.

Any suggestions would be helpful.

Thanks

Vinod

gfullage · ‎09-17-2003

Check that you have the following command in both PIX's:

sysopt connection permit-ipsec

This will tell the PIX to bypass all standard ACL checking of encrypted packets and just let them through. Sounds like the PIX is still following it's standard access rules and only allowing traffic through if it's seen outgoing traffic first.

See http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/cmdref/s.htm#1026942 for details.

Having said all that, keep in mind that this tunnel will only ever be able to be initiated from the dynamic PIX.

tomborst · ‎09-19-2003

It may sound strange but make sure your NAT and Crypto lists are not using the same access-list number. From what your describing, I was having the same problem. Check out the following link. It corrected my problem.

http://www.cisco.com/en/US/partner/tech/tk583/tk372/technologies_tech_note09186a008009448c.shtml