Hello Petr.

I was checking your config, but you only specified from one end-point.
As you know, you should have another access-list in the other pix
(PIX501) like this:
access-list XX permit ip 10.1.0.0 255.255.255.0 10.1.5.0 255.255.255.0
access-list XX permit ip 10.1.1.0 255.255.255.0 10.1.5.0 255.255.255.0

It would be helpful if you can attach the pix 501 config (vpn related)

Regards.

Petr Vyhnal wrote:

> Hi all,
>
> I have strange problem. I have two PIXes (501 and 506E) with VPN
> tunnel. LAN structure is like that:
>
> LAN1 (10.1.5.0/24) - PIX506 (inside 10.1.5.254) - Inet (VPN) - PIX501
> (inside 10.1.0.254/24) - LAN2 (10.1.0.0/24) - Linux router (nonat,
> 10.1.0.1 on PIX's side iface and 10.1.1.254 on LAN3 side iface) - LAN3
> (10.1.1.0/24)
>
> Crypto tunnel is working, but only for one network at the moment. So
> if ping works from 10.1.5.0/24 to 10.1.1.0/24 I can't ping from
> 10.1.5.0/24 to 10.1.0.0/24 and vice versa. But on both rules in acl
> 101 I can see growing hits when I pinging to both networks at same
> time. Even if only pings to one network at the moment are going to
> crypto tunnel and pings to second network are going directly to
> internet and they are rejected by gateway as unreachable. Does anybody
> have any idea how to fix it?
>
> PIX506 config (VPN part):
>
> access-list 101 permit ip 10.1.5.0 255.255.255.0 10.1.0.0 255.255.255.0
> access-list 101 permit ip 10.1.5.0 255.255.255.0 10.1.1.0 255.255.255.0
> nat (inside) 0 access-list 101
> sysopt connection permit-ipsec
> crypto ipsec transform-set MYVPN esp-3des esp-md5-hmac
> crypto map MYMAP 1 ipsec-isakmp
> crypto map MYMAP 1 match address 101
> crypto map MYMAP 1 set peer xxx.xxx.xxx.xxx
> crypto map MYMAP 1 set transform-set MYVPN
> crypto map MYMAP interface outside
> isakmp enable outside
> isakmp key ******** address xxx.xxx.xxx.xxx netmask 255.255.255.255
> isakmp policy 1 authentication pre-share
> isakmp policy 1 encryption 3des
> isakmp policy 1 hash md5
> isakmp policy 1 group 1
> isakmp policy 1 lifetime 1000
>
>
> Thanx Rudiik
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@honor.icsalabs.com
> http://honor.icsalabs.com/mailman/li...rewall-wizards
>



_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/li...rewall-wizards