Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
358
Views
0
Helpful
4
Replies

pix bizarre vpn issue

durale1789
Level 1
Level 1

‎11-16-2006 05:53 AM

Hi,

i m being established a vpn tunnel bewtween two pix (515--> 501). If i configure the vpn tunnel with the encryption domain 10.5.10.0/24 --- 10.5.245.0/24, it works perfectly. However if i use the encryption domain 194.42.../27 -- 10.5.245.0/24, it doesn t work !! 194.42.../27 range belongs to a puclic network

in fact 194.42.../27 is dmz

Can we establish a vpn tunnel with encyption domain public(dmz)--private ?

Alex

Labels:
0 Helpful
4 Replies 4

Sureshdank
Level 1
Level 1

‎11-17-2006 04:30 AM

I hope outside interfaces of both the PIXs are configured with public IP and if they are not then they might be connected with a point to point link right.

When you establish VPN tunnel between two PIXs there is a logical path created between both the devices.

And after that you can communicate with any source to any destination subnet.

Hope that helps,

Regards,

Suresh Jain

0 Helpful

brooks-el
Level 1
Level 1
In response to Sureshdank

‎11-17-2006 11:52 AM

the pix doesn't care if its public, private or other wise, you need to make sure that you have the appropriate routing and nat statements.

When you say it doesn't work, what do you mean, do you see any errors in your "Debug crypto iskamp" or debug crypto ipsec sa

Also, im assuming that the private address that worked was (inside) and the new tunnel your creating is from (dmz)

make sure you have nonat configured for traffic from (dmz) to remote (inside)

on the remote side, make sure you have routes pointing your (dmz) public addressing out the interface that facilitates the vpn tunnel to head office.

we would need more infomation like configs and/or diagrams to help further.

remmeber the check the nonat/nat statements on both ends..

0 Helpful

durale1789
Level 1
Level 1
In response to brooks-el

‎11-22-2006 03:22 AM

here is the config. if i do ping inside 194.42.124.34 from the pipx 501 the vpn process start and from the other pix i get the logs attached to this email.

The thing is i can t start the vpn process from the other pix (515) if i do ping dmz 10.5.245.9, i get:

%PIX-6-110001: No route to 10.5.245.9 from yy.yy.yy.60 (dmz ip address from the dmz interface (yy.yy,yy.32/27)

27359-cisco-cnp
0 Helpful

durale1789
Level 1
Level 1
In response to durale1789

‎11-22-2006 06:41 AM

i resolved the problem. it was about the route between the pix and my network. And also i added

global (outside) 1 interface

nat (dmz) 0 access-list inside_nat0_outbound

Regards,

0 Helpful
Customers Also Viewed These Support Documents