Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Cisco>
  3. NSP
[nsp] Problems with pix-originated traffic across a VPN
regis at offhand
Aug 30, 2002, 9:02 AM
Post #1 of 4 (1696 views)
Permalink
Hi there.

I have a PIX 515 running 6.1(2) that terminates one of of a lan-to-lan
VPN connection that traverses the outside network. My problem is that
I can't seem to get traffic sourced from the PIX to go across the VPN
- specifically, I'm trying to log to a machine on the far side of the
VPN. Traffic that is not sourced by the PIX goes across the VPN
without a hitch. The far end machines are able to see all of the
inside network except for the PIX itself.

I have included the inside address of the PIX in the access lists
applied to "nat (inside) 0" and to the "crypto map" matching list.
The logging statement lists the far-end address and points it to the
inside interface - "logging host inside 10.x.x.x"

I've poked around on CCO and it looks like this should work, but it
doesn't. So I assume I'm missing something but I have no idea what.

Suggestions?

Thanks!
--regis
Re: [nsp] Problems with pix-originated traffic across a VPN [ In reply to ]
kennyl at mail
Sep 1, 2002, 5:42 PM
Post #2 of 4 (1662 views)
Permalink
Regis,

I have not done it myself yet, but have pointed people to this. http://www.cisco.com/warp/public/110/pix_vpn_4094.html Double check your config against that and then let us know the status/outcome. Thanks.

Kenny Long
Re: [nsp] Problems with pix-originated traffic across a VPN [ In reply to ]
chrismcc at pricegrabber
Sep 1, 2002, 7:15 PM
Post #3 of 4 (1661 views)
Permalink
Hello...


Regis M. Donovan wrote:
> Hi there.
>
> I have a PIX 515 running 6.1(2) that terminates one of of a lan-to-lan
> VPN connection that traverses the outside network. My problem is that
> I can't seem to get traffic sourced from the PIX to go across the VPN
> - specifically, I'm trying to log to a machine on the far side of the
> VPN. Traffic that is not sourced by the PIX goes across the VPN
> without a hitch. The far end machines are able to see all of the
> inside network except for the PIX itself.
>
> I have included the inside address of the PIX in the access lists
> applied to "nat (inside) 0" and to the "crypto map" matching list.
> The logging statement lists the far-end address and points it to the
> inside interface - "logging host inside 10.x.x.x"
>
> I've poked around on CCO and it looks like this should work, but it
> doesn't. So I assume I'm missing something but I have no idea what.
>
> Suggestions?

I remember hearing about that. The problem is (inside)PIX <->
PIX(inside) traffic right? IIRC, the solution was adding a static host
route on both sides from inside.ip <-> ip.inside. I _think_ this is in
CCO somewhere.





>
> Thanks!
> --regis
> _______________________________________________
> cisco-nsp mailing list real_name)s@puck.nether.net
> http://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/



--
Christopher McCrory
"The guy that keeps the servers running"

chrismcc@pricegrabber.com
http://www.pricegrabber.com

Let's face it, there's no Hollow Earth, no robots, and
no 'mute rays.' And even if there were, waxed paper is
no defense. I tried it. Only tinfoil works.
Re: [nsp] Problems with pix-originated traffic across a VPN [ In reply to ]
regis at offhand
Sep 3, 2002, 8:08 PM
Post #4 of 4 (1668 views)
Permalink
On Sun, Sep 01, 2002 at 06:42:20PM -0600, Kenny Long wrote:
> I have not done it myself yet, but have pointed people to this.
> http://www.cisco.com/warp/public/110/pix_vpn_4094.html Double check
> your config against that and then let us know the status/outcome.
> Thanks.

aha! that definitely addressed the problem i was trying to solve.
setting the monitoring traffic to originate from the outside address
and tweaking the acl's appropriately did the right thing.

thanks!

--regis

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal