Re: Pix 501 to Pix 501 VPN Issue

In article <1135793185.124920.42400@g44g2000cwa.googlegroups.com>,
 <jamesdeva@yahoo.com> wrote:
:I have a strange question. We are trying to use 2 Pix 501's to secure
:traffic between 2 wireless access points.

:I can get the tunnel to come up with no problem, but no traffic will
:pass between the 2 inside interfaces.

:PIX Version 6.3(5)

:access-list 80 permit ip 10.16.0.0 255.255.0.0 10.16.2.0 255.255.255.0

:ip address outside 10.16.1.2 255.255.255.0
:ip address inside 10.16.0.221 255.255.0.0

Your inside network is 10.16/16 and your outside network is
10.16.1/24 which is a subnet of your inside network. You should
not expect that to work.

:nat (inside) 0 access-list 80

Your inside network is 10.16/16 and your nat 0 access-list implies
that you will be attempting to communicate with 10.16.2/24 . You
should not expect that to work.

:sysopt connection permit-ipsec

Okay, that explains why you don't have any outside access lists.

:crypto map toRemotePix 10 match address 80
:crypto map toRemotePix 10 set peer 10.16.1.1

There are not many situations on the PIX in which you can
safely reuse an access list. You should copy the contents of
the access list under a different name and use that as ACL
for "match address" purposes. PIX 6.x software may internally
modify ACLs for its own purposes. Some of the instances of
that are documented, but others are not.

Small note: on the PIX, you do not need to use numbers as the
ACL labels, you can use names such as "tunnel_acl" instead.

-- 
  Prototypes are supertypes of their clones.           -- maplesoft