Showing results for 
Search instead for 
Did you mean: 

PIX to PIX VPN Configuration


I am running a PIX to PIX IPSEC VPN. I am using two PIX 506s. The VPN configuration indicated below works fine. But I would like to change the IP address in Network B from the network mask to the new range mask

When I change the IP address on the access list on PIX2 the VPN fails to work. The following Access-list works:

Access-list 101 permit ip

When I change it to this one below the VPN fails to work

Access-list 101 permit ip 255.255.240

What could be the problem?

PIX Version 6.3(3)

access-list 101 permit ip 255.255.255.

ip address outside 218.x.x.50

ip address inside

global (outside) 1 interface

nat (inside) 0 access-list 101

nat (inside) 1 0 0

static (inside,outside) tcp interface www www netmask 255.255.255

255 0 0

static (inside,outside) tcp interface smtp smtp netmask 255.255.25

.255 0 0

access-group outside in interface outside

route outside 1

http inside

sysopt connection permit-ipsec

crypto ipsec transform-set lusaka esp-des esp-md5-hmac

crypto map buku 1 ipsec-isakmp

crypto map buku 1 match address 101

crypto map buku 1 set peer 218.x.35.54

crypto map buku 1 set transform-set lusaka

crypto map buku interface outside

isakmp enable outside

isakmp key ******** address 218.x.x.54 netmask 255.x.x.255

isakmp identity address

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption des

isakmp policy 1 hash md5

isakmp policy 1 group 1

isakmp policy 1 lifetime 1000

13 Replies 13


The mask on acl 101 looks truncated on this email. I'll suppose the ACL is

Access-list 101 permit ip

and you want 128 host on net-A to reach 15 hosts on net-B.

(IF I'm wrong do not read the following notes)

Your new ACL-101 is wrong. Both source and desination are in the same network.

You may want to add a new route outside on your pix A.

Ensure the pix B has the reflecting acl 101 you have defined on pix A.

Initiate the following commands to force a reset on the tunnel:

clear isakmp sa

clear ipsec sa


what would be the correct ACL-101 in this case.

Will it be correct if we used the following ACL:

Access-list 101 permit ip

are these two different subnets?