[nsp] Problems with pix-originated traffic across a VPN

Christopher McCrory cisco-nsp@puck.nether.net
Sun, 01 Sep 2002 19:15:11 -0700


Hello...


Regis M. Donovan wrote:
> Hi there.
> 
> I have a PIX 515 running 6.1(2) that terminates one of of a lan-to-lan
> VPN connection that traverses the outside network.  My problem is that
> I can't seem to get traffic sourced from the PIX to go across the VPN
> - specifically, I'm trying to log to a machine on the far side of the
> VPN.  Traffic that is not sourced by the PIX goes across the VPN
> without a hitch.  The far end machines are able to see all of the
> inside network except for the PIX itself.
> 
> I have included the inside address of the PIX in the access lists
> applied to "nat (inside) 0" and to the "crypto map" matching list.
> The logging statement lists the far-end address and points it to the
> inside interface - "logging host inside 10.x.x.x"
> 
> I've poked around on CCO and it looks like this should work, but it
> doesn't.  So I assume I'm missing something but I have no idea what.
> 
> Suggestions?

I remember hearing about that.  The problem is (inside)PIX <-> 
PIX(inside) traffic right?  IIRC, the solution was adding a static host 
route on both sides from inside.ip <-> ip.inside.  I _think_ this is in 
CCO somewhere.





> 
> Thanks!
> --regis
> _______________________________________________
> cisco-nsp mailing list  real_name)s@puck.nether.net
> http://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/



-- 
Christopher McCrory
  "The guy that keeps the servers running"

chrismcc@pricegrabber.com
  http://www.pricegrabber.com

Let's face it, there's no Hollow Earth, no robots, and
no 'mute rays.' And even if there were, waxed paper is
no defense.  I tried it.  Only tinfoil works.