Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!
  • Students Click Here

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Students Click Here


Easy VPN between PIX's

Easy VPN between PIX's

Easy VPN between PIX's


We have two offices. Headoffice has Ip subnet, remote office has IP subnet There is another subnet (IPphone subnet) in Headoffice -
We cannot get access to telephone subnet from remote office to Headoffice IPphone subnet. In other words we cannot do ping from

What is wrong?

This is PIX configuration of Headoffice:

PIX Version 6.3(3)
interface ethernet0 100full
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100

access-list Outside-In permit tcp host ч.ч.ч.ч interface outside eq 2222
access-list Outside-In permit tcp any interface outside eq www
access-list Outside-In permit tcp any interface outside eq https
access-list Outside-In permit tcp any host x.x.x.x eq www

access-list Non-Nat permit ip
access-list Non-Nat permit ip
access-list Non-Nat permit ip
access-list Non-Nat permit ip
access-list Non-Nat permit ip
access-list Non-Nat permit ip
access-list Non-Nat permit ip
access-list Non-Nat permit ip
access-list Non-Nat permit ip
access-list Split-Tun permit ip
access-list Split-Tun3 permit ip
access-list Split-Tun4 permit ip
access-list Split-Tun4 permit ip
access-list Split-Tun4 permit ip
access-list Split-Tun6 permit ip
access-list Split-Tun6 permit ip
access-list Split-Tun6 permit ip
pager lines 24
logging on
logging history critical

ip audit attack action alarm
ip local pool IP-Pool1
ip local pool IP-Pool3
ip local pool IP-Pool4
ip local pool IP-Pool5
ip local pool IP-Pool6

arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list Non-Nat
nat (inside) 1 0 0
nat (inside) 1 0 0

access-group Outside-In in interface outside
route outside y.y.y.y 1
route inside 1
route inside 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa-server MS-IAS protocol radius
aaa-server MS-IAS (inside) host radiusauth timeout 10
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
http server enable
http inside
http inside
http inside
snmp-server location ottawa
snmp-server contact Silvan
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set Trans-1 esp-3des esp-sha-hmac
crypto dynamic-map CovConn-Dyno 10 set transform-set Trans-1
crypto map CovConn-VPN 10 ipsec-isakmp dynamic CovConn-Dyno
crypto map CovConn-VPN client authentication MS-IAS
crypto map CovConn-VPN interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup CovConn-Group1 address-pool IP-Pool1
vpngroup CovConn-Group1 dns-server
vpngroup CovConn-Group1 default-domain ccinc.local
vpngroup CovConn-Group1 idle-time 1800
vpngroup CovConn-Group1 password ********
vpngroup CovConn-Group2 address-pool IP-Pool4
vpngroup CovConn-Group2 dns-server
vpngroup CovConn-Group2 default-domain ccinc.local
vpngroup CovConn-Group2 split-tunnel Split-Tun
vpngroup CovConn-Group2 idle-time 1800
vpngroup CovConn-Group2 password ********
vpngroup CovConn-Group3 dns-server
vpngroup CovConn-Group3 default-domain ccinc.local
vpngroup CovConn-Group3 split-tunnel Split-Tun3
vpngroup CovConn-Group3 idle-time 1800
vpngroup CovConn-Group3 password ********
vpngroup CovConn-Group4 address-pool IP-Pool3
vpngroup CovConn-Group4 dns-server
vpngroup CovConn-Group4 default-domain ccinc.local
vpngroup CovConn-Group4 split-tunnel Split-Tun4
vpngroup CovConn-Group4 idle-time 1800
vpngroup CovConn-Group4 password ********
vpngroup CovConn-Group6 address-pool IP-Pool6
vpngroup CovConn-Group6 dns-server
vpngroup CovConn-Group6 default-domain ccinc.local
vpngroup CovConn-Group6 split-tunnel Split-Tun6
vpngroup CovConn-Group6 idle-time 1800
vpngroup CovConn-Group6 password ********
vpngroup CovConn-Group5 address-pool IP-Pool5
vpngroup CovConn-Group5 dns-server
vpngroup CovConn-Group5 default-domain ccinc.local
vpngroup CovConn-Group5 split-tunnel Split-Tun4
vpngroup CovConn-Group5 idle-time 1800
vpngroup CovConn-Group5 password ********
telnet inside
telnet timeout 5
ssh outside
ssh inside
ssh timeout 15
console timeout 0

It seems there is something wrong with accesss-list Nonat.
May be I need to remove this command
nat (inside) 1 0 0


Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members!

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close