Showing results for 
Search instead for 
Did you mean: 

PIX to PIX VPN Configuration

Level 1
Level 1

I am running a PIX to PIX IPSEC VPN. I am using two PIX 506s. The VPN configuration indicated below works fine. But I would like to change the IP address in Network B from the network mask to the new range mask

When I change the IP address on the access list on PIX2 the VPN fails to work. The following Access-list works:

Access-list 101 permit ip

When I change it to this one below the VPN fails to work

Access-list 101 permit ip 255.255.240

What could be the problem?

PIX Version 6.3(3)

access-list 101 permit ip 255.255.255.

ip address outside 218.x.x.50

ip address inside

global (outside) 1 interface

nat (inside) 0 access-list 101

nat (inside) 1 0 0

static (inside,outside) tcp interface www www netmask 255.255.255

255 0 0

static (inside,outside) tcp interface smtp smtp netmask 255.255.25

.255 0 0

access-group outside in interface outside

route outside 1

http inside

sysopt connection permit-ipsec

crypto ipsec transform-set lusaka esp-des esp-md5-hmac

crypto map buku 1 ipsec-isakmp

crypto map buku 1 match address 101

crypto map buku 1 set peer 218.x.35.54

crypto map buku 1 set transform-set lusaka

crypto map buku interface outside

isakmp enable outside

isakmp key ******** address 218.x.x.54 netmask 255.x.x.255

isakmp identity address

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption des

isakmp policy 1 hash md5

isakmp policy 1 group 1

isakmp policy 1 lifetime 1000

13 Replies 13

Level 3
Level 3

The mask on acl 101 looks truncated on this email. I'll suppose the ACL is

Access-list 101 permit ip

and you want 128 host on net-A to reach 15 hosts on net-B.

(IF I'm wrong do not read the following notes)

Your new ACL-101 is wrong. Both source and desination are in the same network.

You may want to add a new route outside on your pix A.

Ensure the pix B has the reflecting acl 101 you have defined on pix A.

Initiate the following commands to force a reset on the tunnel:

clear isakmp sa

clear ipsec sa


what would be the correct ACL-101 in this case.

Will it be correct if we used the following ACL:

Access-list 101 permit ip

are these two different subnets?

Last ACL is correct. This will encrypt traffic from net-A range to net-B

May I suggest this link referring to subnet calculation:

or the complete tables:

just to help my understanding. is this ACL correct?

access-list 101 permit ip

ACL is correct.

You will also have add this route to your pix config:

route outside

otherwise your route inside will take precedence.

This will mean having two routes. Is this ok?

1. route outside 1

2. route outside 255.255.255

.128 e1

Secondly, What IP addresses are available in each subnet? and which IP address in each subnet should be allocated to the internal interface of each PIX. Can we use any IP address is the range available?

hi, the problem is that you are tyrin to make vpn work with 2 subnets having the same ip range.... thts all..

to really make a vpn work, you shud have seperate subnets at both end..


hi CJ

I want to use the following subnets:

Subnet A - (IP addresses available

Subnet B - (IP addresses available

Are you saying that If I used these two subnets the VPN wont work? What is your counter proposal?


see this :

>>ip address inside

It says all the 10.X.X.X network is towards ur inside interface.

if that is the only small subnet you are using, give appropriate ip to ur interface like :

ip address inside

if this is the case, You wont be able to make it work with this setup.

Also, if you can make the above change, the ACL needs to be changed from

>>Access-list 101 permit ip 255.255.240


access-list 101 permit ip

Just change the '0' with ip of your choice...

ip address inside

ok will try these suggestions. I am using CISCO PIX 506 OS 6.3(3). Do all these configurations apply to Operating System 6.3 (3)

Thanks. I implemented the suggestions and the VPN worked fine