Site to Site VPN with PIX

I need some assistane with a configuration that is slightly different from what i am used to.  Normally when configuring a site to site vpn i will use 1 access list to for non NATing
purposes such as:

access-list NoNAT permit ip 192.168.0.0 255.255.255.0 192.168.10.0 255.255.255.0
nat (inside) 0 access-list NoNAT

//And another access list for the traffic to permit through the tunnel:

access-list VPNTraffic permit ip 192.168.0.0 255.255.255.0 192.168.10.0 255.255.255.0
crypto map MAP 10 match address VPNTraffic

//This usually works without any problem.  I now need to configure the PIX such that only 1 host on each end is able to communicate through tunnel. I changed one access list to:

access-list VPNTraffic permit ip host 192.168.0.x host 192.168.10.x

//thinking that would suffice but cannot ping through the tunnel from 192.168.0.x to 192.168.10.x or vice versa.  


Any assistance with configuring what i need to accomplish is appreciated.
andreacadiaAsked:
Who is Participating?
 
lrmooreConnect With a Mentor Commented:
Did you add this to the NoNAT also?

access-list NoNAT permit ip host 192.168.0.10  host 192.168.10.10
access-list VPNTraffic permit ip host 192.168.0.10  host 192.168.10.10

Did you do exact mirror acls on the remote site?
0
 
lrmooreCommented:
ping . . .
0
 
andreacadiaAuthor Commented:
changing the NoNAT access list and mirroring the access on the other side seems to have worked.  Why do the access lists have to be identical on both sides?  even if you permitted the entire submit the source IP allowed on the other end is the only  host that will communicate.
0
 
lrmooreCommented:
>Why do the access lists have to be identical on both sides?
They just do. . .
Glad you're working!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.