PIX Site to Site VPN

Discussion in 'Cisco' started by Fook, Sep 17, 2006.

  1. Fook

    Fook Guest

    I am trying to get a site to site vpn working.

    The main PIX is a 515 and the client PIX is a 501.

    I have it all configured and the tunnel comes up fine, however, if I try and
    ping hosts on the main site (515 side) from the remote site (501 side) it
    doesn't ping until I log onto the host on the main side I am trying to
    ping, ping the client PC from there, then the client PC can ping that host?

    Hope someone understands what I tried to explain there :)

    Regards
    Fook, Sep 17, 2006
    #1
    1. Advertising

  2. In article <eej91r$3m9$1$>,
    Fook <> wrote:
    >I am trying to get a site to site vpn working.


    >The main PIX is a 515 and the client PIX is a 501.


    >I have it all configured and the tunnel comes up fine, however, if I try and
    >ping hosts on the main site (515 side) from the remote site (501 side) it
    >doesn't ping until I log onto the host on the main side I am trying to
    >ping, ping the client PC from there, then the client PC can ping that host?


    >Hope someone understands what I tried to explain there :)


    This could be caused if one of the two ends has a dynamic IP address,
    or if the PIXes have been configured to think that they do.

    It could also be caused by the access-lists used for the
    crypto map match address not being symmetric.
    Walter Roberson, Sep 17, 2006
    #2
    1. Advertising

  3. Fook

    swapnendu

    Joined:
    Sep 13, 2006
    Messages:
    57
    check the No NAT and crypto ACLs on both the ends thoroughly...
    swapnendu, Sep 17, 2006
    #3
  4. Fook

    Fook Guest

    Walter Roberson wrote:

    > In article <eej91r$3m9$1$>,
    > Fook <> wrote:
    >>I am trying to get a site to site vpn working.

    >
    >>The main PIX is a 515 and the client PIX is a 501.

    >
    >>I have it all configured and the tunnel comes up fine, however, if I try
    >>and ping hosts on the main site (515 side) from the remote site (501 side)
    >>it doesn't ping until I log onto the host on the main side I am trying to
    >>ping, ping the client PC from there, then the client PC can ping that
    >>host?

    >
    >>Hope someone understands what I tried to explain there :)

    >
    > This could be caused if one of the two ends has a dynamic IP address,
    > or if the PIXes have been configured to think that they do.
    >
    > It could also be caused by the access-lists used for the
    > crypto map match address not being symmetric.


    Strange, the 515 didn't have the 'crypto map outside_map 20 match address
    20' statment, when I added this in it stopped pinging altogether. Saved
    config, rebooted and everything is working fine now?

    Cheers
    Fook, Sep 17, 2006
    #4
  5. Fook

    john smith Guest

    On Sun, 17 Sep 2006 21:09:21 +0100, Fook wrote:

    > Walter Roberson wrote:
    >
    >> In article <eej91r$3m9$1$>,
    >> Fook <> wrote:
    >>>I am trying to get a site to site vpn working.

    >>
    >>>The main PIX is a 515 and the client PIX is a 501.

    >>
    >>>I have it all configured and the tunnel comes up fine, however, if I try
    >>>and ping hosts on the main site (515 side) from the remote site (501 side)
    >>>it doesn't ping until I log onto the host on the main side I am trying to
    >>>ping, ping the client PC from there, then the client PC can ping that
    >>>host?

    >>
    >>>Hope someone understands what I tried to explain there :)

    >>
    >> This could be caused if one of the two ends has a dynamic IP address,
    >> or if the PIXes have been configured to think that they do.
    >>
    >> It could also be caused by the access-lists used for the
    >> crypto map match address not being symmetric.

    >
    > Strange, the 515 didn't have the 'crypto map outside_map 20 match address
    > 20' statment, when I added this in it stopped pinging altogether. Saved
    > config, rebooted and everything is working fine now?
    >
    > Cheers


    Before you rebooted did you do "clear cry ipsec sa" and/or "clear isa sa"?
    john smith, Sep 18, 2006
    #5
  6. Fook

    Fook Guest

    john smith wrote:

    > On Sun, 17 Sep 2006 21:09:21 +0100, Fook wrote:
    >
    >> Walter Roberson wrote:
    >>
    >>> In article <eej91r$3m9$1$>,
    >>> Fook <> wrote:
    >>>>I am trying to get a site to site vpn working.
    >>>
    >>>>The main PIX is a 515 and the client PIX is a 501.
    >>>
    >>>>I have it all configured and the tunnel comes up fine, however, if I try
    >>>>and ping hosts on the main site (515 side) from the remote site (501
    >>>>side) it doesn't ping until I log onto the host on the main side I am
    >>>>trying to ping, ping the client PC from there, then the client PC can
    >>>>ping that host?
    >>>
    >>>>Hope someone understands what I tried to explain there :)
    >>>
    >>> This could be caused if one of the two ends has a dynamic IP address,
    >>> or if the PIXes have been configured to think that they do.
    >>>
    >>> It could also be caused by the access-lists used for the
    >>> crypto map match address not being symmetric.

    >>
    >> Strange, the 515 didn't have the 'crypto map outside_map 20 match address
    >> 20' statment, when I added this in it stopped pinging altogether. Saved
    >> config, rebooted and everything is working fine now?
    >>
    >> Cheers

    >
    > Before you rebooted did you do "clear cry ipsec sa" and/or "clear isa sa"?


    Unfortunately not
    Fook, Sep 18, 2006
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. tical
    Replies:
    3
    Views:
    3,889
    tical
    May 27, 2004
  2. Rick Stromberg
    Replies:
    7
    Views:
    9,846
    luisjimher
    Jun 3, 2011
  3. Robert
    Replies:
    3
    Views:
    2,046
    Robert
    Dec 14, 2005
  4. Replies:
    3
    Views:
    4,671
  5. pasatealinux
    Replies:
    1
    Views:
    2,000
    pasatealinux
    Dec 17, 2007
Loading...

Share This Page