[Edit] VPN pix 506 to 501 ...

[Edit] VPN pix 506 to 501 ...: Posted by Fwed on September 2nd, 2005; Hi,

I have a vpn between 2 pix, one 506 and one 501.

My problem is the vpn go down but we see the vpn is still up ...

If i make a "sh crypto isakmp sa", we can see that 1 tunnel was create
but I can't ping the other side. If a make a "ping inside 192.168.x.x",
the connection go up ...

The configuration seems good.

Someone have an idea to resolve the problem ?

Thanks a lot,

Fwed

-------crypto 506 conf-------------
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto map outside_map 30 ipsec-isakmp
crypto map outside_map 30 match address outside_cryptomap_30
crypto map outside_map 30 set pfs group5
crypto map outside_map 30 set peer 2xx.xxx.xxx.xxx
crypto map outside_map 30 set transform-set ESP-AES-256-SHA
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 2xx.xxx.xxx.xxx netmask 255.255.255.255
no-xauth no-config-mode
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption aes-256
isakmp policy 30 hash sha
isakmp policy 30 group 5
isakmp policy 30 lifetime 86400
-------crypto 506 conf-------------

-------crypto 501 conf-------------
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set pfs group5
crypto map outside_map 20 set peer 1xx.xxx.xxx.xxx
crypto map outside_map 20 set transform-set ESP-AES-256-SHA
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 1xx.xxx.xxx.xxx netmask 255.255.255.255
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption aes-256
isakmp policy 20 hash sha
isakmp policy 20 group 5
isakmp policy 20 lifetime 86400
-------crypto 501 conf-------------; Posted by Nick Ersdown on September 2nd, 2005; Do all users loose visibility of the other side or just some users? If just
some then what user licence do you have on the 501? i.e. 10 users? could
it be that you have more users on the PIX 501 side than the licence allows?

If not, then could you post all of your configs - including NAT,
Access-Lists etc

Regards,

Nick Ersdown
www.ar53.com

"Fwed" <nosp@m.org> wrote in message
news:43182867$0$25410$626a14ce@news.free.fr...; Posted by Fwed on September 2nd, 2005; Nick Ersdown a écrit :
I have 5 users behind the pix 501, so it's ok

The configuration has changed and is not very clean now (I fastly
configure VPN by cisco client and I change "isakmp policy 20 group 5" by
"isakmp policy 20 group 2" on the 501).
1.1.1.1 & 2.2.2.2 & 1.1.1.2 are, in fact, public address.

------------Pix 501------------
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ************ encrypted
passwd ************* encrypted
hostname PIX-VPN
domain-name ********.fr
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.2.0 lan01
name 192.168.0.0 lan02
access-list inside_outbound_nat0_acl permit ip 192.168.5.0 255.255.255.0
lan02 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 192.168.5.0 255.255.255.0
lan01 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 192.168.5.0 255.255.255.0
172.16.1.0 255.255.255.0
access-list outside_cryptomap_20 permit ip 192.168.5.0 255.255.255.0
lan02 255.255.255.0
access-list outside_cryptomap_20 permit ip 192.168.5.0 255.255.255.0
lan01 255.255.255.0
access-list fwoutside permit icmp any any
access-list fwoutside deny ip any any log
access-list fwinside permit ip 192.168.5.0 255.255.255.0 lan01
255.255.255.0
access-list fwinside permit ip 192.168.5.0 255.255.255.0 lan02
255.255.255.0
access-list fwinside permit udp any any eq bootpc
access-list fwinside permit udp 192.168.5.0 255.255.255.0 any eq domain
access-list fwinside permit tcp 192.168.5.0 255.255.255.0 any eq www
access-list fwinside permit tcp 192.168.5.0 255.255.255.0 any eq ftp
access-list fwinside permit tcp 192.168.5.0 255.255.255.0 any eq ftp-data
access-list fwinside permit tcp 192.168.5.0 255.255.255.0 any eq https
access-list fwinside permit icmp any any
access-list fwinside permit tcp 192.168.5.0 255.255.255.0 any eq ssh
access-list fwinside deny ip any any log
pager lines 24
logging on
logging monitor debugging
logging buffered debugging
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside pppoe setroute
ip address inside 192.168.5.254 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit name IDS-INFO info action alarm
ip audit name IDS-ATTACK attack action alarm drop reset
ip audit interface outside IDS-INFO
ip audit interface outside IDS-ATTACK
ip audit interface inside IDS-INFO
ip audit interface inside IDS-ATTACK
ip audit info action alarm
ip audit attack action alarm
ip local pool test 172.16.1.1-172.16.1.254
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group fwoutside in interface outside
access-group fwinside in interface inside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.5.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto dynamic-map dynmap 30 set transform-set ESP-AES-256-SHA
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set pfs group5
crypto map outside_map 20 set peer 1.1.1.1
crypto map outside_map 20 set transform-set ESP-AES-256-SHA
crypto map outside_map 60 ipsec-isakmp dynamic dynmap
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 1.1.1.1 netmask 255.255.255.255 no-xauth
no-config-mode
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption aes-256
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup address-pool idle-time 1800
vpngroup nomade address-pool test
vpngroup nomade idle-time 1800
vpngroup nomade password ********
telnet timeout 5
ssh 192.168.5.0 255.255.255.0 inside
ssh timeout 5
management-access inside
console timeout 0
vpdn group pppoe_group request dialout pppoe
vpdn group pppoe_group localname **********
vpdn group pppoe_group ppp authentication pap
vpdn username fti/rchzgxt password *********
dhcpd address 192.168.5.15-192.168.5.14 inside
dhcpd dns 194.2.0.20
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
username admin password *********** encrypted privilege 15
terminal width 80

--------pix506-------------
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ********** encrypted
passwd ************ encrypted
hostname PIX-VPN
domain-name **********.fr
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.5.0 lan
access-list outside_cryptomap_30 permit ip 192.168.0.0 255.255.255.0 lan
255.255.255.0
access-list outside_cryptomap_30 permit ip 192.168.2.0 255.255.255.0 lan
255.255.255.0
access-list fwoutside permit icmp any any
access-list inside_outbound_nat0_acl permit ip 192.168.0.0 255.255.255.0
lan 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 192.168.2.0 255.255.255.0
lan 255.255.255.0
access-list fwinside permit ip any any
pager lines 24
logging console debugging
logging monitor debugging
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside 1.1.1.1 255.255.255.0
ip address inside 192.168.2.2 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
access-group fwoutside in interface outside
access-group fwinside in interface inside
route outside 0.0.0.0 0.0.0.0 1.1.1.2 1
route inside 192.168.0.0 255.255.255.0 192.168.2.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.0.0 255.255.255.0 inside
http 192.168.2.0 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto map outside_map 30 ipsec-isakmp
crypto map outside_map 30 match address outside_cryptomap_30
crypto map outside_map 30 set pfs group5
crypto map outside_map 30 set peer 2.2.2.2
crypto map outside_map 30 set transform-set ESP-AES-256-SHA
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 2.2.2.2 netmask 255.255.255.255 no-xauth
no-config-mode
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption aes-256
isakmp policy 30 hash sha
isakmp policy 30 group 5
isakmp policy 30 lifetime 86400
telnet timeout 5
ssh 192.168.0.0 255.255.255.0 inside
ssh 192.168.2.0 255.255.255.0 inside
ssh timeout 5
management-access inside
console timeout 0
username admin password ********* encrypted privilege 15
terminal width 80; Posted by Fwed on September 2nd, 2005; Nick Ersdown a écrit :
I have 5 users behind the pix 501, so it's ok

The configuration has changed and is not very clean now (I fastly
configure VPN by cisco client and I change "isakmp policy 20 group 5" by
"isakmp policy 20 group 2" on the 501).
1.1.1.1 & 2.2.2.2 & 1.1.1.2 are, in fact, public address.

------------Pix 501------------
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ************ encrypted
passwd ************* encrypted
hostname PIX-VPN
domain-name ********.fr
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.2.0 lan01
name 192.168.0.0 lan02
access-list inside_outbound_nat0_acl permit ip 192.168.5.0 255.255.255.0
lan02 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 192.168.5.0 255.255.255.0
lan01 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 192.168.5.0 255.255.255.0
172.16.1.0 255.255.255.0
access-list outside_cryptomap_20 permit ip 192.168.5.0 255.255.255.0
lan02 255.255.255.0
access-list outside_cryptomap_20 permit ip 192.168.5.0 255.255.255.0
lan01 255.255.255.0
access-list fwoutside permit icmp any any
access-list fwoutside deny ip any any log
access-list fwinside permit ip 192.168.5.0 255.255.255.0 lan01
255.255.255.0
access-list fwinside permit ip 192.168.5.0 255.255.255.0 lan02
255.255.255.0
access-list fwinside permit udp any any eq bootpc
access-list fwinside permit udp 192.168.5.0 255.255.255.0 any eq domain
access-list fwinside permit tcp 192.168.5.0 255.255.255.0 any eq www
access-list fwinside permit tcp 192.168.5.0 255.255.255.0 any eq ftp
access-list fwinside permit tcp 192.168.5.0 255.255.255.0 any eq ftp-data
access-list fwinside permit tcp 192.168.5.0 255.255.255.0 any eq https
access-list fwinside permit icmp any any
access-list fwinside permit tcp 192.168.5.0 255.255.255.0 any eq ssh
access-list fwinside deny ip any any log
pager lines 24
logging on
logging monitor debugging
logging buffered debugging
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside pppoe setroute
ip address inside 192.168.5.254 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit name IDS-INFO info action alarm
ip audit name IDS-ATTACK attack action alarm drop reset
ip audit interface outside IDS-INFO
ip audit interface outside IDS-ATTACK
ip audit interface inside IDS-INFO
ip audit interface inside IDS-ATTACK
ip audit info action alarm
ip audit attack action alarm
ip local pool test 172.16.1.1-172.16.1.254
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group fwoutside in interface outside
access-group fwinside in interface inside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.5.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto dynamic-map dynmap 30 set transform-set ESP-AES-256-SHA
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set pfs group5
crypto map outside_map 20 set peer 1.1.1.1
crypto map outside_map 20 set transform-set ESP-AES-256-SHA
crypto map outside_map 60 ipsec-isakmp dynamic dynmap
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 1.1.1.1 netmask 255.255.255.255 no-xauth
no-config-mode
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption aes-256
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup address-pool idle-time 1800
vpngroup nomade address-pool test
vpngroup nomade idle-time 1800
vpngroup nomade password ********
telnet timeout 5
ssh 192.168.5.0 255.255.255.0 inside
ssh timeout 5
management-access inside
console timeout 0
vpdn group pppoe_group request dialout pppoe
vpdn group pppoe_group localname **********
vpdn group pppoe_group ppp authentication pap
vpdn username fti/rchzgxt password *********
dhcpd address 192.168.5.15-192.168.5.14 inside
dhcpd dns 194.2.0.20
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
username admin password *********** encrypted privilege 15
terminal width 80

--------pix506-------------
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ********** encrypted
passwd ************ encrypted
hostname PIX-VPN
domain-name **********.fr
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.5.0 lan
access-list outside_cryptomap_30 permit ip 192.168.0.0 255.255.255.0 lan
255.255.255.0
access-list outside_cryptomap_30 permit ip 192.168.2.0 255.255.255.0 lan
255.255.255.0
access-list fwoutside permit icmp any any
access-list inside_outbound_nat0_acl permit ip 192.168.0.0 255.255.255.0
lan 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 192.168.2.0 255.255.255.0
lan 255.255.255.0
access-list fwinside permit ip any any
pager lines 24
logging console debugging
logging monitor debugging
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside 1.1.1.1 255.255.255.0
ip address inside 192.168.2.2 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
access-group fwoutside in interface outside
access-group fwinside in interface inside
route outside 0.0.0.0 0.0.0.0 1.1.1.2 1
route inside 192.168.0.0 255.255.255.0 192.168.2.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.0.0 255.255.255.0 inside
http 192.168.2.0 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto map outside_map 30 ipsec-isakmp
crypto map outside_map 30 match address outside_cryptomap_30
crypto map outside_map 30 set pfs group5
crypto map outside_map 30 set peer 2.2.2.2
crypto map outside_map 30 set transform-set ESP-AES-256-SHA
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 2.2.2.2 netmask 255.255.255.255 no-xauth
no-config-mode
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption aes-256
isakmp policy 30 hash sha
isakmp policy 30 group 5
isakmp policy 30 lifetime 86400
telnet timeout 5
ssh 192.168.0.0 255.255.255.0 inside
ssh 192.168.2.0 255.255.255.0 inside
ssh timeout 5
management-access inside
console timeout 0
username admin password ********* encrypted privilege 15
terminal width 80; Posted by Walter Roberson on September 2nd, 2005; In article <43185cdd$0$9068$636a15ce@news.free.fr>, Fwed <nosp@m.org> wrote:

I do not see the problem at the moment, and it puzzles me that
a ping to -inside- would do anything. I'd want to see some of the log
entries and debug crypto isakmp 2 debug crypto ipsec 2 results.

In the meantime, I happen to notice a couple of small problems with
your configurations:

:------------Pix 501------------
:PIX Version 6.3(5)

:access-list fwoutside permit icmp any any

You should not permit -all- icmp, because people *will* attack
you with unsolicited icmp network-redirects, in an attempt to
get connections to (e.g.) banks to be redirected to their site
that has been made up to look just like the bank's...

You do not need this "for debugging" as it is not going to affect
any traffic in the tunnel: you have sysopt connection permit-ipsec
which tells the PIX to ignore the interface ACLs for tunnel traffic.

:access-list fwoutside deny ip any any log

Deny is the default, and a log statement would be generated
anyhow, unless you had turned that off with 'logging message'... which
you didn't.

:access-list fwinside deny ip any any log

Again, deny is the default and a log statement would be generated
anyhow.

:logging on
:logging monitor debugging
:logging buffered debugging

When you are trying to debug a PIX, I recommend that you use
logging trap debugging and also use logging host IP to send
a copy of the log messages to a syslog daemon for recording to a file.

:ip address outside pppoe setroute
:ip address inside 192.168.5.254 255.255.255.0

:management-access inside

Ah, that's probably why pinging to the -inside- brought up a tunnel.

:--------pix506-------------
:PIX Version 6.3(3)

Upgrade to 6.3(4) or 6.3(5) is recommended, for a security fix.

:access-list fwoutside permit icmp any any

See above about icmp any.

:crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
:crypto map outside_map 30 ipsec-isakmp
:crypto map outside_map 30 match address outside_cryptomap_30
:crypto map outside_map 30 set pfs group5
:crypto map outside_map 30 set peer 2.2.2.2
:crypto map outside_map 30 set transform-set ESP-AES-256-SHA
:crypto map outside_map interface outside

You have not defined a dynamic map here: you are expecting to talk
to 2.2.2.2. But look above....

[501 configuration] ip address outside pppoe setroute

Your 501 does not -have- a fixed outside IP according to that.
Perhaps your provider has assigned a constant address of 2.2.2.2,
but you've told the PIX the address is variable. [Unfortunately
I don't see any other way to tell the PIX you need to communicate
via PPPoE.]

What I suggest you try is removing the crypto map outside_map 30
on the 506 and putting in a dynamic map (be sure to adjust
the isakmp key address selector to match the possible range of IPs.)
Then bring the tunnel up by traffic from the 501 to the 506.

I would also suggest removing the management access on the 501.
If you want the traffic between the 501 and the 506 themselves
to go through a tunnel (e.g., pings) then you should add an
entry to the tunnel ACL that specifies the -outside- IPs for both
ends. That's going to be a bit tricky on the 506 side, though,
with the 501 having a dynamic IP... That is the situation that the
management access is for, but I think that -for now- it is just
confusing the issue.
--
Oh, to be a Blobel!; Posted by Fwed on September 5th, 2005; Very very thank you for your answer.

I will test to fix the outside ip on the 501 as you said to not have a
variable.

After, if that not resolve the problem, i will change the crypto map by
dynamic map.

Thanks a lot !

Similar Posts

Please Help!! need help with reg edit (Help and Support) by Mouse
DVR Edit help (Windows Media Center Edition) by Steve Mc
lite edit and code edit (Software & Applications) by (ProteanThread)
Re: edit mp3 (Audio, MP3 & Music) by Roseb441702
edit mp3 (Audio, MP3 & Music) by kim