[nsp] Problems with pix-originated traffic across a VPN
Christopher McCrory
cisco-nsp@puck.nether.net
Sun, 01 Sep 2002 19:15:11 -0700
Hello...
Regis M. Donovan wrote:
> Hi there.
>
> I have a PIX 515 running 6.1(2) that terminates one of of a lan-to-lan
> VPN connection that traverses the outside network. My problem is that
> I can't seem to get traffic sourced from the PIX to go across the VPN
> - specifically, I'm trying to log to a machine on the far side of the
> VPN. Traffic that is not sourced by the PIX goes across the VPN
> without a hitch. The far end machines are able to see all of the
> inside network except for the PIX itself.
>
> I have included the inside address of the PIX in the access lists
> applied to "nat (inside) 0" and to the "crypto map" matching list.
> The logging statement lists the far-end address and points it to the
> inside interface - "logging host inside 10.x.x.x"
>
> I've poked around on CCO and it looks like this should work, but it
> doesn't. So I assume I'm missing something but I have no idea what.
>
> Suggestions?
I remember hearing about that. The problem is (inside)PIX <->
PIX(inside) traffic right? IIRC, the solution was adding a static host
route on both sides from inside.ip <-> ip.inside. I _think_ this is in
CCO somewhere.
>
> Thanks!
> --regis
> _______________________________________________
> cisco-nsp mailing list real_name)s@puck.nether.net
> http://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
--
Christopher McCrory
"The guy that keeps the servers running"
chrismcc@pricegrabber.com
http://www.pricegrabber.com
Let's face it, there's no Hollow Earth, no robots, and
no 'mute rays.' And even if there were, waxed paper is
no defense. I tried it. Only tinfoil works.