PIX to PIX VPN

hbotha · ‎03-02-2001

I setup to 515 Pixs to create a VPN between them. It all works fine when I tested it on two routers connected back to back. When I connect my pixs on two internet connections and try to establish a VPN I can't. One of the ISPs changed the access list on the router and the other router is without any access list. Please if anybody can help.

Henk

r-simpson · ‎03-06-2001

I would suggest starting with Configs and debugs in this situation. If it worked back-to-back in the lab, you better look harder at the ISP. Have them check their access-lists for IP protocol 50 & 51 blocking. Remember, if there’s an access list at all, and there’s no permit statement, there is an implicit deny. Usually ISP’s don’t run access-lists and leave all the filtering up to their customers. If they are sure they are not blocking anything, I'd suggest opening a TAC case.

zchagpar · ‎03-06-2001

Hi Henk,

First determine if the two devices can ping each other. Use the debug packet commmand on each PIX to verify if the traffic is making it past your access router. Also make sure you changed your default route to the next hop which appear to be your ISP routers. You also need to create a static entry in your router allowing traffic to go from the lower security interface (outside) to the higher one (inside). It may be easier just to enter the command "sysopt conection permit ipsec".