Hi all,

I have strange problem. I have two PIXes (501 and 506E) with VPN tunnel.
LAN structure is like that:

LAN1 (10.1.5.0/24) - PIX506 (inside 10.1.5.254) - Inet (VPN) - PIX501
(inside 10.1.0.254/24) - LAN2 (10.1.0.0/24) - Linux router (nonat,
10.1.0.1 on PIX's side iface and 10.1.1.254 on LAN3 side iface) - LAN3
(10.1.1.0/24)

Crypto tunnel is working, but only for one network at the moment. So if
ping works from 10.1.5.0/24 to 10.1.1.0/24 I can't ping from 10.1.5.0/24
to 10.1.0.0/24 and vice versa. But on both rules in acl 101 I can see
growing hits when I pinging to both networks at same time. Even if only
pings to one network at the moment are going to crypto tunnel and pings
to second network are going directly to internet and they are rejected
by gateway as unreachable. Does anybody have any idea how to fix it?

PIX506 config (VPN part):

access-list 101 permit ip 10.1.5.0 255.255.255.0 10.1.0.0 255.255.255.0
access-list 101 permit ip 10.1.5.0 255.255.255.0 10.1.1.0 255.255.255.0
nat (inside) 0 access-list 101
sysopt connection permit-ipsec
crypto ipsec transform-set MYVPN esp-3des esp-md5-hmac
crypto map MYMAP 1 ipsec-isakmp
crypto map MYMAP 1 match address 101
crypto map MYMAP 1 set peer xxx.xxx.xxx.xxx
crypto map MYMAP 1 set transform-set MYVPN
crypto map MYMAP interface outside
isakmp enable outside
isakmp key ******** address xxx.xxx.xxx.xxx netmask 255.255.255.255
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 1000


Thanx Rudiik
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/li...rewall-wizards