Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


PIX 501 Site to Site VPN

Posted on 2005-03-16
Medium Priority
Last Modified: 2013-11-16
I posted a question regarding site to site vpn in a test lab

We have now gone live but we cannot see the other end of the VPN.

We are on 192.168.3.x and the remote site is on 192.168.1.x. The VPN tunnel is created and when we type

show cry is sa

Total     : 1
Embryonic : 0
        dst               src        state     pending     created
    x.x.x.25    QM_IDLE         0           1

We have plugged the PIX into a Netgear ADSL Router and set the PIX as the DMZ. We get Internet connectvity and everything. The Netgear has a Public WAN Address and then has a private LAN Address and the outside of the PIX is a private address
Please help..
Question by:Flexology
  • 13
  • 3
  • 3

Accepted Solution

jjoseph_x earned 2000 total points
ID: 13557831
Just to check:

On both ends, the client machines can ping their respective local PIXes?

What are their default gateways?  On both sides, that could to be the PIXes (unless you have setup routes).

Author Comment

ID: 13557931
Both can ping the inside and outside address of the PIX and the gateway address. The current routes are
outside 1 DHCP static
inside 1 CONNECT static
outside 1 CONNECT static

on the PIX that is inside & outside connected to a ADSL router with an inside of and an outside of x.x.x116

Expert Comment

ID: 13558385
Actually, I meant to ask whether the PIXes are the default gateways for the client computers.
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.


Author Comment

ID: 13558421
Yes they have

Author Comment

ID: 13558594
I think it's a routing problem and I need to put a route from to but when I try and do it it says route already exists. The outside of the PIX is DHCP from the Netgear ADSL Router.

Expert Comment

ID: 13558597
You configuration looks okay (I looked at the previous question).

I think that the problem might be the route outside statement (outside 1 CONNECT static).

In your case, If the PIXes are the default gateways then you only need the outside statement.

Author Comment

ID: 13558961
I haven't put any statements in so this one was created automatically. shall i just do...

no outside 1 CONNECT static

Expert Comment

ID: 13559524
These pix's are behind adsl routers right? And they have private addresses, which means that they are not visible on the net. Is the ADSL box nating the PIX outside address?

If so then you will need to set the tunnel endpoints as the outside ADSL address, otherwise how are these boxes going to route to each other, the ADSL box will send your 192.168.x.x outbound, but where do you think the internet first hop is going to send it?



Author Comment

ID: 13559658
Yes it's NAT'ing the pix address. the end points are setup as the public IP address e.g. the WAN side of the ADSL router.

Author Comment

ID: 13559672
The pix has IP of on the inside and on the outside which is DHCP . The ADSL router LAN is and the WAN is 212.x.x.x as a public IP

Expert Comment

ID: 13559748
cool, sorry just thought I would ask that question.

I am not sure though if it will work as you are nating that packets as they go out. This would modify the packet, and hence would be dropped at the other end as the packet has been tampered with....

Check out this link, it explains a way round it (NAT Transparecny), though this is for IOS VPN:


there is probably a resolution for PIX 501's.



PS apologies if this has already been covered!

Author Comment

ID: 13563003
When I do a route do I need to put in the outside of the PIX or do I need to put the WAN Side of the router

PIX is inside and outside
The ADSL Router is LAN & WAN 212.x.x.x

i've put in these routes

        outside 1 DHCP static
        outside 0 OTHER static
        outside 1 OTHER static
        inside 1 CONNECT static
        outside 1 CONNECT static

but still I can't ping (a server) but the VPN tunnel creates itself

Author Comment

ID: 13563087
Is it better if I disable NAT on the ADSL router and get a Public IP for the PIX??

Expert Comment

ID: 13563614
Hi There,

In terms of your routes, these seem a little odd.. Surely your ADSL address should be on the same subnet as your pix outside address? - the routes look fine though (sorry)

In terms of NAT, yep if you put the public address on the ADSL router, and get the router to be transparant (this is what I have at home, I have an adsl modem (NOT router), and it does nothing in terms of IP, it just pumps packets out on to the ADSL network)..... then it will probably all come up. If it was working in a lab environment then you should be able to change outside IP's, change the tunnel endpoints and away you go!

However, you say the tunnel is up? If this is the case, dont try ping as it is blocked by default, try telnet or something else that is permitted.



PS If you post your configs and a little diagram I am sure that would help us all out!!

Author Comment

ID: 13563686
My PIX Inside address is and it's outside address is The PIX outside interface is connected to an ADSL router which has a LAN IP of and the WAN IP is a public address. We are trying to connect our headoffice which has a PIX also. That inside address is and it's outside address is a public WAN IP. Since I last posted we've tried a few things and these are the routes on my PIX

So here to get to the "Internet" it goes through the following interafaces (PIX Inside) (PIX Outside) (ADSL LAN)
212.x.x.x (ADSL WAN)

In theory to get to our headoffice it should (with the VPN up) go through..

which i think should be solved by

outside 1 OTHER static at our end

outside 1 OTHER static at the headoffice end

These are the route statements on our PIX

outside 1 DHCP static
outside 1 OTHER static
inside 1 CONNECT static
outside 1 CONNECT static

And these are the routes on the Head Office PIX

outside 1 OTHER static
outside 62.x.x.24 62.x.x.26 1 CONNECT static
inside 1 OTHER static
inside 1 CONNECT static
outside 1 OTHER static
outside 1 OTHER static

Author Comment

ID: 13563718
Our PIX Config

show config

: Saved

: Written by enable_15 at 10:01:51.483 UTC Thu Mar 17 2005

PIX Version 6.3(4)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname our-office

domain-name ciscopix.com

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

<--- More --->

access-list inside_outbound_nat0_acl permit ip any

access-list inside_outbound_nat0_acl permit ip

access-list outside_cryptomap_20 permit ip

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside dhcp setroute

ip address inside

ip audit info action alarm

ip audit attack action alarm

ip local pool VPN-POOL

pdm location outside

pdm location outside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 1 0 0

route outside 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

<--- More --->
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

sysopt connection permit-pptp

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto map outside_map 20 ipsec-isakmp

crypto map outside_map 20 match address outside_cryptomap_20

crypto map outside_map 20 set peer 62.x.x.x

crypto map outside_map 20 set transform-set ESP-DES-MD5

crypto map outside_map interface outside

<--- More --->
isakmp enable outside

isakmp key ******** address 62.x.x.x netmask no-xauth no-config-mode

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

vpdn group PPTP-VPDN-GROUP accept dialin pptp

vpdn group PPTP-VPDN-GROUP ppp authentication pap

vpdn group PPTP-VPDN-GROUP ppp authentication chap

vpdn group PPTP-VPDN-GROUP ppp authentication mschap

vpdn group PPTP-VPDN-GROUP ppp encryption mppe auto

vpdn group PPTP-VPDN-GROUP client configuration address local VPN-POOL

vpdn group PPTP-VPDN-GROUP pptp echo 60

vpdn group PPTP-VPDN-GROUP client authentication local

vpdn username xxxx.Remote password *****

vpdn enable outside

dhcpd address inside

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

<--- More --->
dhcpd enable inside

terminal width 80



Author Comment

ID: 13565337
If i do show cry is sa it says the source IP is which is the outside of the PIX here and it's destination is the outside PIX at the head office

So does the VPN intiate and terminate on the outside interface and therefore what is the next hop gateway..

Is it the inside of the remote site or the outside of the remote site

e.g to route between our network here and the head office network
route outside  ( is the inside of the remote pix)
route outside x.x.x.x  (x.x.x.x is the outside of the remote pix)


Author Comment

ID: 13572955
OK. We have public IP's for the PIX's and have disabled NAT on the router. Just to clarify the routing statements

To connect to the head office ( from our office we do

route outside x.x.x.x 1 (x.x.x.x is our outside address on our pix - public IP)

To connect to the our office ( from the head office we do

route outside y.y.y.y 1 (y.y.y.y is their outside address on the pix - public IP)

I'm confused to the next hop.. With the tunnel up surely the next hop is thier local lan.... and should the route statement be route inside 1 ( is their inside interface PIX)
route inside 1 ( is our inside interface PIX)

Author Comment

ID: 13616940
The gateway was wrong. D'oh

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Concerto Cloud Services, a provider of fully managed private, public and hybrid cloud solutions, announced today it was named to the 20 Coolest Cloud Infrastructure Vendors Of The 2017 Cloud  (http://www.concertocloud.com/about/in-the-news/2017/02/0…
Considering cloud tradeoffs and determining the right mix for your organization.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Suggested Courses

571 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question