Hi all,

I have strange problem. I have two PIXes (501 and 506E) with VPN tunnel.
LAN structure is like that:

LAN1 ( - PIX506 (inside - Inet (VPN) - PIX501
(inside - LAN2 ( - Linux router (nonat, on PIX's side iface and on LAN3 side iface) - LAN3

Crypto tunnel is working, but only for one network at the moment. So if
ping works from to I can't ping from
to and vice versa. But on both rules in acl 101 I can see
growing hits when I pinging to both networks at same time. Even if only
pings to one network at the moment are going to crypto tunnel and pings
to second network are going directly to internet and they are rejected
by gateway as unreachable. Does anybody have any idea how to fix it?

PIX506 config (VPN part):

access-list 101 permit ip
access-list 101 permit ip
nat (inside) 0 access-list 101
sysopt connection permit-ipsec
crypto ipsec transform-set MYVPN esp-3des esp-md5-hmac
crypto map MYMAP 1 ipsec-isakmp
crypto map MYMAP 1 match address 101
crypto map MYMAP 1 set peer xxx.xxx.xxx.xxx
crypto map MYMAP 1 set transform-set MYVPN
crypto map MYMAP interface outside
isakmp enable outside
isakmp key ******** address xxx.xxx.xxx.xxx netmask
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 1000

Thanx Rudiik
firewall-wizards mailing list