02-18-2004 07:21 AM
In currently trying to test my VPN config that I will be implementing at a new office. Now dont laugh, but I want to test the pix 501 from home. But I dont have a static IP, so what Ive done in the past is just dial in from home and switch the set peer Ip and the ISAKMP key from home once I know what my IP is to test my tunnel. Or ill just come back to work once I know the IP and test it then. This time though, my test is not working. Im getting no tunnels at all....the config is different from configs of the past..(this time its all traffic from 10.42.x.x to 10.254.x.x subnet as opposed to interesing traffic from one particular machine).
My access-lists are not even incrementing....am I missing something? Is this because of PPOE...ive tested this way before without too much problems...just never this type of config...
Is there a better way to test before I send out the pix 501?
Thanks
02-18-2004 07:50 AM
when you do traceroutes from your home lan, do you normally see hops in the 10.5.67 space?
this line concerns me - i wonder if your isp at home is using 10.x.x.x, and if that is breaking things
outside 0.0.0.0 0.0.0.0 10.5.67.1 1 PPPOE static <-----i have no idea what the 10.5.67.1 is coming from...???
02-18-2004 08:15 AM
i can ping 10.5.67.1 from the pix 501 at home. Im at work, so i cant capture the trace route from a wks. My ISP is verizon. I know I didnt always have that added routing statement...im guessing perhaps verizon changed their network set up....time to get the sniffer up to check out whats going on...havnt done that in a while at home....
but i agree with you...10.5.x.x must be doing something to break things up on me.
02-18-2004 12:44 PM
first hop from home is indeed 10.5.67.1
i wonder what verizon is up to.
02-18-2004 01:31 PM
a lot of ISPs use rfc 1918 space to assign their cable modems/etc to manage em. they often break traceroutes, and other stuff that 99% of their users will not notice. grrrrr
02-18-2004 02:17 PM
funny thing is that I can get a vpn up between the 2 outside interfaces and pass ICMP packets. I just cant get the tunnels from either inside LAN to pass to each other.
i added
access-list IRELAND permit ip host 138.89.27.219 host 12.20.60.x
on both sides just to test the VPN between the 2 interfaces. it works..but still nothing from the inside networks.... Even if i couldnt reach the other side, you would think that the access-list counter would at least increment.
Ill keep on testing.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide