Changed Inside IP subnet on PIX 501, cant VPN to PIX 515

Discussion in 'Cisco' started by Scott Townsend, Mar 3, 2008.

  1. So I have a PIX 501 that I configured to use the subnet.
    Outside Interface is DHCP, ComCast Internet
    All is well, connects, traffic passes and we are good.

    I have a 1600 series router with Firewall IOS, that I configured to use the subnet
    Outside interface it DHCP/PPPoE, AT&T DSL Internet
    All is well, connects, traffic passes and we are good.

    Both are connected via preshared-keys, DefaultRAGroup.
    All of the ACLs include both subnet and subnet

    So I want to Replace the Router with the PIX.
    I Disconnect the Router,
    Reconfigure PIX with addresses.
    Reboot everything so the MAC addresses are flushed
    and it wont connect.

    I've turned on all the debugging on the 501 PIX and its like its not seeing
    any Interesting traffic to initiate the VPN Link.

    doing the show cry map, I see the ACL with the Source/Dest Subnets and they
    are correct. though the hitcnt is 0

    Seems like if there was an Issue on the PIX 515 side not liking the new
    client on the old subnet at least I would see the connection attempt on the
    PIX 501 side..


    Scott Townsend, Mar 3, 2008
  2. Scott Townsend

    Darren Green Guest

    If I understand you correctly, the 1600 router is being swapped out for
    a PIX 501. The PIX 501 should create a VPN connection to a PIX 515. You
    are not seeing any hits on the PIX 501.

    Other than post a config, my initial guess would be to check your No
    NAT. You should be seeing hits on your crypto ACL's, if not this would
    tend to suggest that the address you are coming from is incorrect.

    Remember NAT happens before encryption. You need to ensure you exempt
    you network from NAT first. You will then have a matching crypto acl for
    encrypting the traffic after NO-NAT/ NAT, do not use the same ACL for both.

    Post your config anyway.


    Darren Green, Mar 3, 2008
  3. What looks like happened and I'm not sure how. was my nat (inside) 0 was
    wipped out. )-;

    nat (inside) 0 access-list inside_nat0_outbound

    nat (inside) 1 0 0

    I reconfigured the unit back with the addressing config and it
    worked again. So I went through the 2 Configs line by line. the was missing the nat (inside) 0 statement.


    So for my Next trick is to get the 1600 as a backup. Having issues with just
    the Nat, but that will be another post....

    Scott Townsend, Mar 4, 2008
