Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
341
Views
0
Helpful
5
Replies

site to site and client to site (sorry about the last one)

jcleary
Level 1
Level 1

‎05-19-2004 08:39 AM - edited ‎03-09-2019 07:26 AM

I have 2 PIX 506's that are connected between a point to point connection. This works fine.

I want to add a client to site to be able to access both sites. I tried to follow the web site but here is my problem. The client can connect but i cant ping either side

Here are my configs

Here is Site A with the site to site and client to site

Here is site B with just the site to site

Labels:
Preview file
3 KB
Preview file
3 KB
0 Helpful
5 Replies 5

mostiguy
Level 6
Level 6

‎05-19-2004 09:30 AM

Ping what side?

You want to tweak your access-lists on site A

access-list 110 permit ip 89.0.1.0 255.255.255.0 10.100.100.0 255.255.255.0

this line will not work (it actually does nothing because 89.0.1.0 are on the outside interface anyhow). vpn clients of site A will not be able to access site B due to the pix's inability to send out packets in the interface they came into.

access-list 110 permit ip 89.0.0.0 255.255.255.0 89.0.1.0 255.255.255.0

is necessary to disable nat for traffic from site A's hsots to its vpn clients.

when you have made these two edits, reissue the

nat (inside) 0 access-list 110

command, and clear xlate (which will break existing connections)

0 Helpful

jcleary
Level 1
Level 1
In response to mostiguy

‎05-19-2004 09:58 AM

Ok i guesss ill just make another client to site so i can connect to site b

Now i removed

access-list 110 permit ip 89.0.1.0 255.255.255.0 10.100.100.0 255.255.255.0

and added

access-list 110 permit ip 89.0.0.0 255.255.255.0 89.0.1.0 255.255.255.0

re issued the nat 0 and cleared xlate

Still cant ping anything on site A

Any ideas?

0 Helpful

jcleary
Level 1
Level 1
In response to jcleary

‎05-20-2004 04:55 AM

Does anyone have any more ideas on this one ?

Im really in a jam

0 Helpful

ehirsel
Level 6
Level 6
In response to jcleary

‎05-21-2004 03:49 AM

I noted that you only allow echo-reply on the outside interface of site a's fw. You will need to allow echo as that is the request from site b. The pix on site b is okay as it will allow the echo-reply.

If you make the change and are still having issues:

Set the pix buffer log to error and re-try the tests and then examine if there are any entries in the pix log. I use the log as the 1st thing to look at when troubleshooting. It is a great help to me.

Let me know how it proceeds.

0 Helpful

ehirsel
Level 6
Level 6

‎05-19-2004 09:32 AM

I see two issues:

1. In the acl 110 that defines not only interesting traffic but is used to bypass NAT, it does not have the dest net of 89.0.1.0/24 for site A config. This is for site A. If you examine your pix logs, you should find xlate and/or portmap error messages.

2. Becasue site b is also connected via the same interface that the remote users connect to, you cannot have remote users connect to the pix at site a and get a connection to site b. You must force the users to connect to site b via a proxy at site A, or config site b to allow the users to connect direct to it, similar to site A.

0 Helpful
Customers Also Viewed These Support Documents