Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > PIX Site to Site VPN

Reply
Thread Tools

PIX Site to Site VPN

 
 
Fook
Guest
Posts: n/a
 
      09-17-2006
I am trying to get a site to site vpn working.

The main PIX is a 515 and the client PIX is a 501.

I have it all configured and the tunnel comes up fine, however, if I try and
ping hosts on the main site (515 side) from the remote site (501 side) it
doesn't ping until I log onto the host on the main side I am trying to
ping, ping the client PC from there, then the client PC can ping that host?

Hope someone understands what I tried to explain there

Regards

 
Reply With Quote
 
 
 
 
Walter Roberson
Guest
Posts: n/a
 
      09-17-2006
In article <eej91r$3m9$1$(E-Mail Removed)>,
Fook <(E-Mail Removed)> wrote:
>I am trying to get a site to site vpn working.


>The main PIX is a 515 and the client PIX is a 501.


>I have it all configured and the tunnel comes up fine, however, if I try and
>ping hosts on the main site (515 side) from the remote site (501 side) it
>doesn't ping until I log onto the host on the main side I am trying to
>ping, ping the client PC from there, then the client PC can ping that host?


>Hope someone understands what I tried to explain there


This could be caused if one of the two ends has a dynamic IP address,
or if the PIXes have been configured to think that they do.

It could also be caused by the access-lists used for the
crypto map match address not being symmetric.
 
Reply With Quote
 
 
 
 
swapnendu swapnendu is offline
Member
Join Date: Sep 2006
Posts: 57
 
      09-17-2006
check the No NAT and crypto ACLs on both the ends thoroughly...
 
Reply With Quote
 
Fook
Guest
Posts: n/a
 
      09-17-2006
Walter Roberson wrote:

> In article <eej91r$3m9$1$(E-Mail Removed)>,
> Fook <(E-Mail Removed)> wrote:
>>I am trying to get a site to site vpn working.

>
>>The main PIX is a 515 and the client PIX is a 501.

>
>>I have it all configured and the tunnel comes up fine, however, if I try
>>and ping hosts on the main site (515 side) from the remote site (501 side)
>>it doesn't ping until I log onto the host on the main side I am trying to
>>ping, ping the client PC from there, then the client PC can ping that
>>host?

>
>>Hope someone understands what I tried to explain there

>
> This could be caused if one of the two ends has a dynamic IP address,
> or if the PIXes have been configured to think that they do.
>
> It could also be caused by the access-lists used for the
> crypto map match address not being symmetric.


Strange, the 515 didn't have the 'crypto map outside_map 20 match address
20' statment, when I added this in it stopped pinging altogether. Saved
config, rebooted and everything is working fine now?

Cheers

 
Reply With Quote
 
john smith
Guest
Posts: n/a
 
      09-18-2006
On Sun, 17 Sep 2006 21:09:21 +0100, Fook wrote:

> Walter Roberson wrote:
>
>> In article <eej91r$3m9$1$(E-Mail Removed)>,
>> Fook <(E-Mail Removed)> wrote:
>>>I am trying to get a site to site vpn working.

>>
>>>The main PIX is a 515 and the client PIX is a 501.

>>
>>>I have it all configured and the tunnel comes up fine, however, if I try
>>>and ping hosts on the main site (515 side) from the remote site (501 side)
>>>it doesn't ping until I log onto the host on the main side I am trying to
>>>ping, ping the client PC from there, then the client PC can ping that
>>>host?

>>
>>>Hope someone understands what I tried to explain there

>>
>> This could be caused if one of the two ends has a dynamic IP address,
>> or if the PIXes have been configured to think that they do.
>>
>> It could also be caused by the access-lists used for the
>> crypto map match address not being symmetric.

>
> Strange, the 515 didn't have the 'crypto map outside_map 20 match address
> 20' statment, when I added this in it stopped pinging altogether. Saved
> config, rebooted and everything is working fine now?
>
> Cheers


Before you rebooted did you do "clear cry ipsec sa" and/or "clear isa sa"?
 
Reply With Quote
 
Fook
Guest
Posts: n/a
 
      09-18-2006
john smith wrote:

> On Sun, 17 Sep 2006 21:09:21 +0100, Fook wrote:
>
>> Walter Roberson wrote:
>>
>>> In article <eej91r$3m9$1$(E-Mail Removed)>,
>>> Fook <(E-Mail Removed)> wrote:
>>>>I am trying to get a site to site vpn working.
>>>
>>>>The main PIX is a 515 and the client PIX is a 501.
>>>
>>>>I have it all configured and the tunnel comes up fine, however, if I try
>>>>and ping hosts on the main site (515 side) from the remote site (501
>>>>side) it doesn't ping until I log onto the host on the main side I am
>>>>trying to ping, ping the client PC from there, then the client PC can
>>>>ping that host?
>>>
>>>>Hope someone understands what I tried to explain there
>>>
>>> This could be caused if one of the two ends has a dynamic IP address,
>>> or if the PIXes have been configured to think that they do.
>>>
>>> It could also be caused by the access-lists used for the
>>> crypto map match address not being symmetric.

>>
>> Strange, the 515 didn't have the 'crypto map outside_map 20 match address
>> 20' statment, when I added this in it stopped pinging altogether. Saved
>> config, rebooted and everything is working fine now?
>>
>> Cheers

>
> Before you rebooted did you do "clear cry ipsec sa" and/or "clear isa sa"?


Unfortunately not
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
PIX - Site-to-Site VPN and VPN Client access Rick Stromberg Cisco 7 06-02-2011 11:44 PM
VPN site to site & Remote access VPN ( vpn client) over the same interface pasatealinux Cisco 1 12-17-2007 07:41 PM
VPN PIX-_static PIX ; PIX-dynamic_PIX ; VPN Client Svenn Cisco 3 03-13-2006 09:25 AM
site-to-site VPN router to PIX VPN tical Cisco 3 05-27-2004 09:00 PM
PIX to PIX VPN and VPN Client to PIX Config Example? GVB Cisco 1 02-06-2004 07:44 PM



Advertisments