Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
777
Views
0
Helpful
5
Replies

Pix 501 to Pix 520 VPN test

NickWalker75
Level 1
Level 1

‎02-18-2004 07:21 AM

In currently trying to test my VPN config that I will be implementing at a new office. Now dont laugh, but I want to test the pix 501 from home. But I dont have a static IP, so what Ive done in the past is just dial in from home and switch the set peer Ip and the ISAKMP key from home once I know what my IP is to test my tunnel. Or ill just come back to work once I know the IP and test it then. This time though, my test is not working. Im getting no tunnels at all....the config is different from configs of the past..(this time its all traffic from 10.42.x.x to 10.254.x.x subnet as opposed to interesing traffic from one particular machine).

My access-lists are not even incrementing....am I missing something? Is this because of PPOE...ive tested this way before without too much problems...just never this type of config...

Is there a better way to test before I send out the pix 501?

Thanks

Labels:
0 Helpful
5 Replies 5

mostiguy
Level 6
Level 6

‎02-18-2004 07:50 AM

when you do traceroutes from your home lan, do you normally see hops in the 10.5.67 space?

this line concerns me - i wonder if your isp at home is using 10.x.x.x, and if that is breaking things

outside 0.0.0.0 0.0.0.0 10.5.67.1 1 PPPOE static <-----i have no idea what the 10.5.67.1 is coming from...???

0 Helpful

NickWalker75
Level 1
Level 1
In response to mostiguy

‎02-18-2004 08:15 AM

i can ping 10.5.67.1 from the pix 501 at home. Im at work, so i cant capture the trace route from a wks. My ISP is verizon. I know I didnt always have that added routing statement...im guessing perhaps verizon changed their network set up....time to get the sniffer up to check out whats going on...havnt done that in a while at home....

but i agree with you...10.5.x.x must be doing something to break things up on me.

0 Helpful

NickWalker75
Level 1
Level 1
In response to NickWalker75

‎02-18-2004 12:44 PM

first hop from home is indeed 10.5.67.1

i wonder what verizon is up to.

0 Helpful

mostiguy
Level 6
Level 6
In response to NickWalker75

‎02-18-2004 01:31 PM

a lot of ISPs use rfc 1918 space to assign their cable modems/etc to manage em. they often break traceroutes, and other stuff that 99% of their users will not notice. grrrrr

0 Helpful

NickWalker75
Level 1
Level 1
In response to mostiguy

‎02-18-2004 02:17 PM

funny thing is that I can get a vpn up between the 2 outside interfaces and pass ICMP packets. I just cant get the tunnels from either inside LAN to pass to each other.

i added

access-list IRELAND permit ip host 138.89.27.219 host 12.20.60.x

on both sides just to test the VPN between the 2 interfaces. it works..but still nothing from the inside networks.... Even if i couldnt reach the other side, you would think that the access-list counter would at least increment.

Ill keep on testing.

0 Helpful
Customers Also Viewed These Support Documents