07-17-2007 01:04 PM
I've set up a site-to-site VPN between a 501 and a 506, each with its own private subnet, and everything works fine... except that machines on the 506's subnet can't contact machines on the 501's subnet.
Since the VPN tunnel works, I suspect a problem in my routing, but I'm not sure where to start troubleshooting.
Any tips? Anything I should look for?
07-17-2007 02:58 PM
When you say "everything works fine" do you mean you are able to get two way traffic? Pings are working?
07-17-2007 04:08 PM
Do a traceroute from a server/PC on the 506 side. You will probably asterisk out when you hit the Pix, but it should show you if you have a routing problem. Also check your crypto ACL on the 506 side. Do show xxxx access-list and see if there are hit counts incrementing. Or do a debug icmp trace on both Pixs and ping from a server on the 506 side to a server on the other side. See if there are echo-requests and echo-replies on both Pixs, assuming those are allowed over your tunnel, and that should help you figure out where it is stopping.
07-17-2007 04:39 PM
If you're saying that machines behind the 501 can connect to machines behind the 506, then this would not be a routing problem as the return traffic is making it back to the 501. You'll have to be a little more specific about the problem or post configs.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide