08-28-2006 04:16 PM - edited 02-21-2020 02:35 PM
I have seen some other posts related to this topic but I've got a strange problem. I have a PC located at site 1 behind a 2801. This 2801 has L2L tunnels to two other sites, site 2 and site 3 using the 2801's outside IP address as the terminating IP. Sites 2 and 3 both have PIX 501s. PCs behind the 2801 are PAT'd to the 2801's outside IP address. From a PC behind the 2801, I can VPN to the PIX at site 2 but cannot VPN to the PIX at site 3. It gets hung at "securing communications channel". If I statically NAT my PC to another Internet IP address on the 2801, I can VPN to site 3 with no problem but as soon as I remove the static NAT and it starts PAT'ing to the 2801's outside IP address again, I can no longer VPN to site 3 but can still VPN to site 2. The VPN portions of the PIX configs are attached. It does not seem to me like it could be a problem with the 2801 because its ACL and NAT entries do not distinguish between the two remote sites. Any ideas what might be going on here and how to fix it? Thanks!
09-01-2006 11:24 AM
Check the configurations in the following URL to enable split tunneling
http://www.cisco.com/en/US/products/ps6120/products_configuration_guide_chapter09186a00806370f9.html
09-08-2006 08:36 AM
It seems that the problem is a difference between 6.3(4) and 6.3(5). The PIX at Site2 (the one I could connect to) is running 6.3(4) while the PIX at Site3 has 6.3(5). In 6.3(5), the PIX tries to apply the static crypto map instance configuration (i.e. encryption and PFS settings) to the dynamic connection. As soon as I changed my static crypto map entry at Site3 to use 3DES and removed PFS, the client tunnel came right up.
Before saving the config, I downgraded to 6.3(4) and the client tunnel came up with no config changes. I still had DES and PFS configured in the static crypto map entry. I re-upgraded to 6.3(5) and again, the client would not connect until I removed PFS and changed the transform set to use 3DES.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide