05-19-2004 08:39 AM - edited 03-09-2019 07:26 AM
I have 2 PIX 506's that are connected between a point to point connection. This works fine.
I want to add a client to site to be able to access both sites. I tried to follow the web site but here is my problem. The client can connect but i cant ping either side
Here are my configs
Here is Site A with the site to site and client to site
Here is site B with just the site to site
05-19-2004 09:30 AM
Ping what side?
You want to tweak your access-lists on site A
access-list 110 permit ip 89.0.1.0 255.255.255.0 10.100.100.0 255.255.255.0
this line will not work (it actually does nothing because 89.0.1.0 are on the outside interface anyhow). vpn clients of site A will not be able to access site B due to the pix's inability to send out packets in the interface they came into.
access-list 110 permit ip 89.0.0.0 255.255.255.0 89.0.1.0 255.255.255.0
is necessary to disable nat for traffic from site A's hsots to its vpn clients.
when you have made these two edits, reissue the
nat (inside) 0 access-list 110
command, and clear xlate (which will break existing connections)
05-19-2004 09:58 AM
Ok i guesss ill just make another client to site so i can connect to site b
Now i removed
access-list 110 permit ip 89.0.1.0 255.255.255.0 10.100.100.0 255.255.255.0
and added
access-list 110 permit ip 89.0.0.0 255.255.255.0 89.0.1.0 255.255.255.0
re issued the nat 0 and cleared xlate
Still cant ping anything on site A
Any ideas?
05-20-2004 04:55 AM
Does anyone have any more ideas on this one ?
Im really in a jam
05-21-2004 03:49 AM
I noted that you only allow echo-reply on the outside interface of site a's fw. You will need to allow echo as that is the request from site b. The pix on site b is okay as it will allow the echo-reply.
If you make the change and are still having issues:
Set the pix buffer log to error and re-try the tests and then examine if there are any entries in the pix log. I use the log as the 1st thing to look at when troubleshooting. It is a great help to me.
Let me know how it proceeds.
05-19-2004 09:32 AM
I see two issues:
1. In the acl 110 that defines not only interesting traffic but is used to bypass NAT, it does not have the dest net of 89.0.1.0/24 for site A config. This is for site A. If you examine your pix logs, you should find xlate and/or portmap error messages.
2. Becasue site b is also connected via the same interface that the remote users connect to, you cannot have remote users connect to the pix at site a and get a connection to site b. You must force the users to connect to site b via a proxy at site A, or config site b to allow the users to connect direct to it, similar to site A.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide