Site-to-Site VPN and routing...

bertels.p · ‎03-18-2006

Hi all,

I have the following setup...

Office Pix 501 <=site-to-site=> Corporate PIX 515e.

On the Corporate side we have a frame connection on a 2600 => Parent. Clients on the corp & Office side can see each other fine. Corporate can see the Parent no issues. From the Office PIX we can ping the parent router no issue. From the Office we can not see the parent.. Not sure if this makes sence...

Client x->501<->515e<->2600<->Parent

Ping to Parent from 501 works after route par.ent.xxx.xxx 255.255.0.0 cor.por.ate.xxx (2600 address) was added to config. Any help appreciated.

jackko · ‎03-19-2006

the parent subnet(s) needs to be included in the no-nat and crypto acl on both 501 and 515e.

e.g. on 501

access-list no_nat permit ip <501 private subnet> <501 private subnet mask> <515e private subnet> <515e private subnet mask>

access-list no_nat permit ip <501 private subnet> <501 private subnet mask>

access-list l2lvpn permit ip <501 private subnet> <501 private subnet mask> <515e private subnet> <515e private subnet mask>

access-list l2lvpn permit ip <501 private subnet> <501 private subnet mask>

the "mirror" acls need to be configured on the 515e. further, verify there is a route on the parent router for 501 private subnet pointing to 515e as the next hop.

ahmed.badawy · ‎03-22-2006

Would you send me crypto, isakmp, and ACL configurations on both PIXs?