This is a multi-part message in MIME format.
--------------010302030203050409090203
Content-Type: text/plain; charset=ISO-8859-2; format=flowed
Content-Transfer-Encoding: 7bit

Hmm..
Can you give me the corresponding output from PIX 501 as well.

Here is how I interpret your network
+-----+ +---+ +---+ +---+ +-----+
|LAN-A|<-->|506|<=====>|501|<-->|RTR|<-->|LAN-B|
+-----+ +---+ IPSec +---+ +---+ +-----+

LAN-A: 10.1.5.0/24
506-Int: 10.1.5.254/24

501-Int: 10.1.0.254/24
RTR-501Side: 10.1.0.1
RTR-LANSide: 10.1.1.254/24

Meanwhile,
Can you change you 506 acl to
access-list 101 permit ip 10.1.5.0 255.255.255.0 10.1.0.0 255.255.254.0

and do the corresponding change to acl on 501, like
access-list 101 permit ip 10.1.0.0 255.255.254.0 10.1.5.0 255.255.255.0

and test the L2L again and see what happens!

Prabhu

Petr Vyhnal wrote:
> Hi all,
>
> I have strange problem. I have two PIXes (501 and 506E) with VPN tunnel.
> LAN structure is like that:
>
> LAN1 (10.1.5.0/24) - PIX506 (inside 10.1.5.254) - Inet (VPN) - PIX501
> (inside 10.1.0.254/24) - LAN2 (10.1.0.0/24) - Linux router (nonat,
> 10.1.0.1 on PIX's side iface and 10.1.1.254 on LAN3 side iface) - LAN3
> (10.1.1.0/24)
>
> Crypto tunnel is working, but only for one network at the moment. So if
> ping works from 10.1.5.0/24 to 10.1.1.0/24 I can't ping from 10.1.5.0/24
> to 10.1.0.0/24 and vice versa. But on both rules in acl 101 I can see
> growing hits when I pinging to both networks at same time. Even if only
> pings to one network at the moment are going to crypto tunnel and pings
> to second network are going directly to internet and they are rejected
> by gateway as unreachable. Does anybody have any idea how to fix it?
>
> PIX506 config (VPN part):
>
> access-list 101 permit ip 10.1.5.0 255.255.255.0 10.1.0.0 255.255.255.0
> access-list 101 permit ip 10.1.5.0 255.255.255.0 10.1.1.0 255.255.255.0
> nat (inside) 0 access-list 101
> sysopt connection permit-ipsec
> crypto ipsec transform-set MYVPN esp-3des esp-md5-hmac
> crypto map MYMAP 1 ipsec-isakmp
> crypto map MYMAP 1 match address 101
> crypto map MYMAP 1 set peer xxx.xxx.xxx.xxx
> crypto map MYMAP 1 set transform-set MYVPN
> crypto map MYMAP interface outside
> isakmp enable outside
> isakmp key ******** address xxx.xxx.xxx.xxx netmask 255.255.255.255
> isakmp policy 1 authentication pre-share
> isakmp policy 1 encryption 3des
> isakmp policy 1 hash md5
> isakmp policy 1 group 1
> isakmp policy 1 lifetime 1000
>
>
> Thanx Rudiik
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@honor.icsalabs.com
> http://honor.icsalabs.com/mailman/li...rewall-wizards
>


--------------010302030203050409090203
Content-Type: text/x-vcard; charset=utf-8;
name="pgurumu.vcf"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
filename="pgurumu.vcf"

begin:vcard
fn:Prabhu Gurumurthy
n:Gurumurthy;Prabhu
org:Silver Spring Networks;IT
adr:Suite 205;;2755 Campus Drive;San Mateo;CA;94403;USA
email;internetgurumu@gmail.com
title:Network Engineer
tel;work:650-357-8770 x134
tel;home:408-733-2097
tel;cell:831-224-0894
x-mozilla-html:FALSE
url:http://www.silverspringnet.com
version:2.1
end:vcard


--------------010302030203050409090203--
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/li...rewall-wizards