[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now


Site to Site  VPN with PIX

Posted on 2006-05-22
Medium Priority
Last Modified: 2010-04-12
I need some assistane with a configuration that is slightly different from what i am used to.  Normally when configuring a site to site vpn i will use 1 access list to for non NATing
purposes such as:

access-list NoNAT permit ip
nat (inside) 0 access-list NoNAT

//And another access list for the traffic to permit through the tunnel:

access-list VPNTraffic permit ip
crypto map MAP 10 match address VPNTraffic

//This usually works without any problem.  I now need to configure the PIX such that only 1 host on each end is able to communicate through tunnel. I changed one access list to:

access-list VPNTraffic permit ip host 192.168.0.x host 192.168.10.x

//thinking that would suffice but cannot ping through the tunnel from 192.168.0.x to 192.168.10.x or vice versa.  

Any assistance with configuring what i need to accomplish is appreciated.
Question by:andreacadia
  • 3
LVL 79

Accepted Solution

lrmoore earned 2000 total points
ID: 16741763
Did you add this to the NoNAT also?

access-list NoNAT permit ip host  host
access-list VPNTraffic permit ip host  host

Did you do exact mirror acls on the remote site?
LVL 79

Expert Comment

ID: 16764881
ping . . .

Author Comment

ID: 16765615
changing the NoNAT access list and mirroring the access on the other side seems to have worked.  Why do the access lists have to be identical on both sides?  even if you permitted the entire submit the source IP allowed on the other end is the only  host that will communicate.
LVL 79

Expert Comment

ID: 16765647
>Why do the access lists have to be identical on both sides?
They just do. . .
Glad you're working!

Featured Post


Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Sometimes, you want your microsoft VPN to route all the traffic to the remote network. Usually your employer network. This makes it possible to access all the nodes inside this remote LAN, even if they have no "public DNS" entries. To do so, you wo…
When you connect to your workplace's VPN, you may not notice that you are using your workplace's servers to serve up webpages.  This might be undesirable since the workplace can log all the places you've been.  It also might be very slow to load pag…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Suggested Courses

873 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question