Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
227
Views
0
Helpful
1
Replies

cannot access the remote PIX501 attached station from inside network

cjrchoi11
Level 1
Level 1

‎08-30-2002 11:58 PM - edited ‎03-09-2019 12:08 AM

I configured VPN tunnel between PIX520 and PIX501 but the problem is PC2 cannot ping to PC3 even PC1 able to ping PC3. PIX520 have another several sites which are LAN to LAN and PC2 able to ping to them but cannot to PC3 through PIX501. the difference is LAN to LAN and dynamic for PX501. please review the configuration and give me some idea.

1. Network connectivity

<PC1>-(eth)--------------<Rtr1>-(eth)-<PIX520>-(Internet)-<PIX501>-(eth)-<PC3>

|

<PC2>-(eth)-<Rtr2>-(FR)-+

PC1=10.1.99.100

PC2=172.25.26.100

PC3=10.1.38.11

eth=Ethernet

FR=Frame-relay

Rtr1 and Rtr2 have a routing path for PC1 and PC3.

2. tracert at PC2.(from PC2 to PC3)

C:\>tracert 10.1.38.11

Tracing route to 10.1.38.11 over a maximum of 30 hops

1 <10 ms <10 ms <10 ms Rtr2 [172.25.26.1]

2 46 ms 47 ms 32 ms Rtr1 [10.254.253.133]

3 * * * Request timed out.

4 * * ^C

3. "debug icmp trace" at PIX520 . pinging from PC2 to PC3.

2069: Outbound ICMP echo request (len 64 id 2 seq 59953) 172.25.26.100 > 172.25.26.100 > 10.1.38.11

2070: Outbound ICMP echo request (len 64 id 2 seq 61745) 172.25.26.100 > 172.25.26.100 > 10.1.38.11

.....

4. PIX520 configuration.

access-list 100 permit ip 10.1.0.0 255.255.0.0 10.1.38.0 255.255.255.0

access-list 100 permit ip 172.25.26.0 255.255.255.0 10.1.38.0 255.255.255.0

!

ip address outside x.x.x.1 255.255.255.224

ip address inside 10.1.202.2 255.255.255.0

!

global (outside) 1 x.x.x.2

nat (inside) 0 access-list 100

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

!

route outside 10.1.38.0 255.255.255.0 x.x.x.3 1

route inside 172.25.26.0 255.255.255.0 10.1.202.1 1

!

crypto ipsec transform-set strong-des esp-des esp-sha-hmac

crypto dynamic-map cisco 4 set transform-set strong-des

isakmp enable outside

isakmp key ******** address 0.0.0.0 netmask 0.0.0.0

......

5. PIX501 configuration

access-list 101 permit ip 10.1.38.0 255.255.255.0 10.1.0.0 255.255.0.0

access-list 101 permit ip 10.1.38.0 255.255.255.0 172.25.26.0 255.255.255.0

!

ip address outside dhcp setroute

ip address inside 10.1.38.1 255.255.255.0

!

global (outside) 1 interface

nat (inside) 0 access-list 101

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

!

crypto ipsec transform-set strong-des esp-des esp-sha-hmac

crypto map partner-map 10 ipsec-isakmp

crypto map partner-map 10 match address 101

crypto map partner-map 10 set peer x.x.x.1

crypto map partner-map 10 set transform-set strong-des

crypto map partner-map interface outside

isakmp enable outside

isakmp key ******** address x.x.x.1 netmask 255.255.255.255

.....

Labels:
0 Helpful
1 Reply 1

bbaley
Level 3
Level 3

‎09-10-2002 07:33 AM

Call the TAC on this, its beyond the scope of the forum.

0 Helpful
Customers Also Viewed These Support Documents