Pix to Pix to Pix need heeeelllllppppp 1

[techracer74]

Hello, I have a Pix to Pix IPsec tunnel up and would like to add another but am having problem. I have what looks like the correct config on each side according to cisco but it still isn't working correctly. Tried searching through the forums but didn't quite see anything that would help me out.

BTW, tried reloading also to no avail.

Scenario:

ROUTER----PIX1------INTERNET---------PIX2
3.0/24 | 192.168.6.0/24
5.0/24 |
|
|
PIX3
192.168.1.0/24

Pix2 and pix3 terminate their ipsec tunnels back to pix1 and pix1 has 2 networks behind it off the router 192.168.3.0 and 192.168.5.0

Pix2 has 192.168.6.0 behind it and Pix3 has 192.168.1.0 behind it.

Pix1 and Pix2 sessions are fine, it's Pix3 that has me getting grey hairs.

PIX1 config:

ip address outside x.251.175.234 255.255.255.252
ip address inside 192.168.254.1 255.255.255.252

global (outside) 1 x.150.173.238-x.150.173.254 netmask 255.255.255.224
nat (inside) 0 access-list vpn
nat (inside) 1 0.0.0.0 0.0.0.0 0 0

sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto ipsec transform-set set esp-3des esp-md5-hmac
crypto map vpn 10 ipsec-isakmp
crypto map vpn 10 match address vpn2
crypto map vpn 10 set peer x.231.36.137
crypto map vpn 10 set transform-set myset
crypto map vpn 20 ipsec-isakmp
crypto map vpn 20 match address vpn3
crypto map vpn 20 set peer x.231.38.11
crypto map vpn 20 set transform-set set
crypto map vpn interface outside
isakmp enable outside
isakmp key ******** address x.231.36.137 netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address x.231.38.11 netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400

access-list vpn2 permit ip 192.168.5.0 255.255.255.0 192.168.6.0 255.255.255.0
access-list vpn2 permit ip host x.251.175.234 host x.231.36.137
access-list vpn2 permit ip 192.168.3.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list vpn2 permit ip 192.168.3.0 255.255.255.0 192.168.6.0 255.255.255.0
access-list vpn2 permit ip 192.168.5.0 255.255.255.0 host x.231.36.137
access-list vpn2 permit ip 192.168.254.0 255.255.255.252 192.168.6.0 255.255.255.0
access-list vpn2 permit ip 192.168.253.0 255.255.255.252 192.168.6.0 255.255.255.0
access-list vpn2 permit ip host x.251.175.234 192.168.6.0 255.255.255.0
access-list vpn2 permit ip host 192.168.254.2 192.168.6.0 255.255.255.0
access-list vpn2 permit ip host 192.168.253.1 192.168.6.0 255.255.255.0
access-list vpn2 permit ip 192.168.0.0 255.255.0.0 192.168.6.0 255.255.255.0
access-list vpn2 permit ip 192.168.0.0 255.255.0.0 host x.231.36.137
access-list vpn3 permit ip host x.251.175.234 host x.231.38.11
access-list vpn3 permit ip 192.168.3.0 255.255.255.0 host x.231.38.11
access-list vpn3 permit ip 192.168.5.0 255.255.255.0 host x.231.38.11
access-list vpn3 permit ip 192.168.254.0 255.255.255.252 host x.231.38.11
access-list vpn3 permit ip 192.168.253.0 255.255.255.252 host x.231.38.11
access-list vpn3 permit ip host x.251.175.234 192.168.1.0 255.255.255.0
access-list vpn3 permit ip 192.168.3.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list vpn3 permit ip 192.168.5.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list vpn3 permit ip 192.168.254.0 255.255.255.252 192.168.1.0 255.255.255.0
access-list vpn3 permit ip 192.168.253.0 255.255.255.252 192.168.1.0 255.255.255.0
-----------------------------------------------
Pix3 config:

ip address outside x.231.38.11 255.255.255.0
ip address inside 192.168.1.254 255.255.255.0

global (outside) 1 interface
nat (inside) 0 access-list vpn
nat (inside) 1 0.0.0.0 0.0.0.0 0 0

sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto ipsec transform-set set esp-3des esp-md5-hmac
crypto map vpn 10 ipsec-isakmp
crypto map vpn 10 match address vpn2
crypto map vpn 10 set peer x.251.175.234
crypto map vpn 10 set transform-set set
isakmp enable outside
isakmp key ******** address x.251.175.234 netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400

access-list vpn permit ip host x.231.38.11 host x.251.175.234
access-list vpn permit ip host x.231.38.11 192.168.3.0 255.255.255.0
access-list vpn permit ip host x.231.38.11 192.168.5.0 255.255.255.0
access-list vpn permit ip host x.231.38.11 192.168.254.0 255.255.255.252
access-list vpn permit ip host x.231.38.11 192.168.253.0 255.255.255.252
access-list vpn permit ip 192.168.1.0 255.255.255.0 host x.251.175.234
access-list vpn permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list vpn permit ip 192.168.1.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list vpn permit ip 192.168.1.0 255.255.255.0 192.168.254.0 255.255.255.252
access-list vpn permit ip 192.168.1.0 255.255.255.0 192.168.253.0 255.255.255.252
access-list vpn2 permit ip host x.231.38.11 host x.251.175.234
access-list vpn2 permit ip host x.231.38.11 192.168.3.0 255.255.255.0
access-list vpn2 permit ip host x.231.38.11 192.168.5.0 255.255.255.0
access-list vpn2 permit ip host x.231.38.11 192.168.254.0 255.255.255.252
access-list vpn2 permit ip host x.231.38.11 192.168.253.0 255.255.255.252
access-list vpn2 permit ip 192.168.1.0 255.255.255.0 host x.251.175.234
access-list vpn2 permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list vpn2 permit ip 192.168.1.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list vpn2 permit ip 192.168.1.0 255.255.255.0 192.168.254.0 255.255.255.252
access-list vpn2 permit ip 192.168.1.0 255.255.255.0 192.168.253.0 255.255.255.252



Please Help.


thanks in advance,


Bryan

 

[dopehead]

Your crypto acls should not contain any reference to the outside ip address of any of the pix'es. Only LAN traffic to be encrypted is supposed to be put in the acl.

Same goes for your nat 0 access-list.



Network Systems Engineer
CCNA/CQS/CCSP

 

[techracer74]

Ok, so i changed the acl's to be only private to private for all the ipsec configs but I still can't connect. I can establish a tunnel but then I get the following message on pix1:

VPN Peer: ISAKMP: Peer ip:x.231.38.11/500 Ref cnt decremented to:0 Total VPN Peers:2
VPN Peer: ISAKMP: Deleted peer: ip:x.231.38.11/500 Total VPN peers:1IPSEC(key_engine): got a queue event...
IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
IPSEC(key_engine_delete_sas): delete all SAs shared with x.231.38.11

I've tried deleting the crypto and isakmp config from pix3 and adding it back and I've also removed the crypto and isakmp keys from pix1 and added them back thinking that might help but that didn't work either.



Thanks,

Bryan

 

[dopehead]

Try to do "debug cry isa" and "debug cry ipsec" on the pix that doesn't work and paste it in here.

Jan

Network Systems Engineer
CCNA/CQS/CCSP

 

[techracer74]

crypto_isakmp_process_block:src: x.251.175.234, dest: x.231.38.11 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 1 policy
ISAKMP: encryption 3DES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:x.251.175.234, dest:x.231.38.11 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing KE payload. message ID = 0

ISAKMP (0): processing NONCE payload. message ID = 0

ISAKMP (0): processing vendor id payload

ISAKMP (0): received xauth v6 vendor id

ISAKMP (0): processing vendor id payload

ISAKMP (0): remote peer supports dead peer detection

ISAKMP (0): processing vendor id payload

ISAKMP (0): processing vendor id payload

ISAKMP (0): speaking to another IOS box!

return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:x.251.175.234, dest:x.231.38.11 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing ID payload. message ID = 0
ISAKMP (0): processing HASH payload. message ID = 0
ISAKMP (0): SA has been authenticated

ISAKMP (0): ID payload
next-payload : 8
type : 1
protocol : 17
port : 500
length : 8
ISAKMP (0): Total payload length: 12
return status is IKMP_NO_ERROR
ISAKMP (0): sending INITIAL_CONTACT notify
ISAKMP (0): sending NOTIFY message 24578 protocol 1
VPN Peer: ISAKMP: Added new peer: ip:x.251.175.234/500 Total VPN Peers:1
VPN Peer: ISAKMP: Peer ip:x.251.175.234/500 Ref cnt incremented to:1 Total VPN Peers:1
crypto_isakmp_process_block:src:x.251.175.234, dest:x.231.38.11 spt:500 dpt:500
ISAKMP (0): processing NOTIFY payload 24578 protocol 1
spi 0, message ID = 1399996362
ISAKMP (0): processing notify INITIAL_CONTACTIPSEC(key_engine): got a queue event...
IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
IPSEC(key_engine_delete_sas): delete all SAs shared with x.251.175.234

return status is IKMP_NO_ERR_NO_TRANS
crypto_isakmp_process_block:src:x.251.175.234, dest:x.231.38.11 spt:500 dpt:500
OAK_QM exchange
oakley_process_quick_mode:
OAK_QM_IDLE
ISAKMP (0): processing SA payload. message ID = 3399442811

ISAKMP : Checking IPSec proposal 1

ISAKMP: transform 1, ESP_3DES
ISAKMP: attributes in transform:
ISAKMP: encaps is 1
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (basic) of 28800
ISAKMP: SA life type in kilobytes
ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
ISAKMP: authenticator is HMAC-MD5IPSEC(validate_proposal): invalid local address x.231.38.11

ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP (0): SA not acceptable!
ISAKMP (0): sending NOTIFY message 14 protocol 0
return status is IKMP_ERR_NO_RETRANS
crypto_isakmp_process_block:src:x.251.175.234, dest:x.231.38.11 spt:500 dpt:500
ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet.
crypto_isakmp_process_block:src:x.251.175.234, dest:x.231.38.11 spt:500 dpt:500
OAK_QM exchange
oakley_process_quick_mode:
OAK_QM_IDLE
ISAKMP (0): processing SA payload. message ID = 2682267294

ISAKMP : Checking IPSec proposal 1

ISAKMP: transform 1, ESP_3DES
ISAKMP: attributes in transform:
ISAKMP: encaps is 1
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (basic) of 28800
ISAKMP: SA life type in kilobytes
ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
ISAKMP: authenticator is HMAC-MD5IPSEC(validate_proposal): invalid local address x.231.38.11

ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP (0): SA not acceptable!
ISAKMP (0): sending NOTIFY message 14 protocol 0
return status is IKMP_ERR_NO_RETRANS
crypto_isakmp_process_block:src:x.251.175.234, dest:x.231.38.11 spt:500 dpt:500
ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet.
crypto_isakmp_process_block:src:x.251.175.234, dest:x.231.38.11 spt:500 dpt:500
ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet.
crypto_isakmp_process_block:src:x.251.175.234, dest:x.231.38.11 spt:500 dpt:500


so this would indicate that the crypto config on each end doesn't match but it does. I've verfied 100 times.

Pix1:

crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto ipsec transform-set set esp-3des esp-md5-hmac
crypto map vpn 10 ipsec-isakmp
crypto map vpn 10 match address vpn2
crypto map vpn 10 set peer x.231.36.137
crypto map vpn 10 set transform-set myset
crypto map vpn 20 ipsec-isakmp
crypto map vpn 20 match address vpn3
crypto map vpn 20 set peer x.231.38.11
crypto map vpn 20 set transform-set set
crypto map vpn interface outside
isakmp enable outside
isakmp key ******** address x.231.36.137 netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address x.231.38.11 netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400

Pix3:
sysopt connection permit-ipsec
crypto ipsec transform-set set esp-3des esp-md5-hmac
crypto map vpn 20 ipsec-isakmp
crypto map vpn 20 match address vpn2
crypto map vpn 20 set peer x.251.175.234
crypto map vpn 20 set transform-set set
isakmp enable outside
isakmp key ******** address x.251.175.234 netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400

pulling my hair out here.


Thanks for all the help,


Bryan

 

[netwalker1]

Just add on PIX1 another isakmp definision as another policy and try again :

isakmp policy 2 authentication pre-share
isakmp policy 2 encryption des
isakmp policy 2 hash md5
isakmp policy 2 group 2
isakmp policy 2 lifetime 86400



Mohamed Farid
Know Me No Pain , No Me Know Pain !!!

 

[techracer74]

Nope, still no dice. I still get the same "att" erros.




Bryan

 

[netwalker1]

The PIX3 Peer for PIX1 is x.231.38.11 , how can you use the Peer in the interesting traffic !

Remove this address x.231.38.11 from the VPN access-list
and try again ,,
and send us the dwebug again ..



Mohamed Farid
Know Me No Pain , No Me Know Pain !!!

 

[techracer74]

Hi Mohamed, I have done that at Dopeheads recomendation, still having probs though.



Bryan

 

[netwalker1]

Ok , can you please send the final Access-list , and the final Debug ,,
because atts not acceptable means that there is a problem in the Access-list ..


Mohamed Farid
Know Me No Pain , No Me Know Pain !!!

 

[techracer74]

Ok, here's the latest, which doesn't look like it has changed.

crypto_isakmp_process_block:src:x.251.175.234, dest:x.231.38.11 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 1 policy
ISAKMP: encryption 3DES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
ISAKMP (0): atts are acceptable. Next payload is 3
ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:x.251.175.234, dest:x.231.38.11 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing KE payload. message ID = 0

ISAKMP (0): processing NONCE payload. message ID = 0

ISAKMP (0): processing vendor id payload

ISAKMP (0): received xauth v6 vendor id

ISAKMP (0): processing vendor id payload

ISAKMP (0): remote peer supports dead peer detection

ISAKMP (0): processing vendor id payload

ISAKMP (0): processing vendor id payload

ISAKMP (0): speaking to another IOS box!

return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:x.251.175.234, dest:x.231.38.11 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing ID payload. message ID = 0
ISAKMP (0): processing HASH payload. message ID = 0
ISAKMP (0): SA has been authenticated

ISAKMP (0): ID payload
next-payload : 8
type : 1
protocol : 17
port : 500
length : 8
ISAKMP (0): Total payload length: 12
return status is IKMP_NO_ERROR
ISAKMP (0): sending INITIAL_CONTACT notify
ISAKMP (0): sending NOTIFY message 24578 protocol 1
VPN Peer: ISAKMP: Added new peer: ip:x.251.175.234/500 Total VPN Peers:1
VPN Peer: ISAKMP: Peer ip:x.251.175.234/500 Ref cnt incremented to:1 Total VPN Peers:1
crypto_isakmp_process_block:src:x.251.175.234, dest:x.231.38.11 spt:500 dpt:500
ISAKMP (0): processing NOTIFY payload 24578 protocol 1
spi 0, message ID = 3148970836
ISAKMP (0): processing notify INITIAL_CONTACTIPSEC(key_engine): got a queue event...
IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
IPSEC(key_engine_delete_sas): delete all SAs shared with x.251.175.234

return status is IKMP_NO_ERR_NO_TRANS
crypto_isakmp_process_block:src:x.251.175.234, dest:x.231.38.11 spt:500 dpt:500
OAK_QM exchange
oakley_process_quick_mode:
OAK_QM_IDLE
ISAKMP (0): processing SA payload. message ID = 2352867229

ISAKMP : Checking IPSec proposal 1

ISAKMP: transform 1, ESP_DES
ISAKMP: attributes in transform:
ISAKMP: encaps is 1
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (basic) of 28800
ISAKMP: SA life type in kilobytes
ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
ISAKMP: authenticator is HMAC-MD5IPSEC(validate_proposal): invalid local address x.231.38.11

ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP (0): SA not acceptable!
ISAKMP (0): sending NOTIFY message 14 protocol 0
return status is IKMP_ERR_NO_RETRANS
ISADB: reaper checking SA 0xaa74cc, conn_id = 0
crypto_isakmp_process_block:src:x.251.175.234, dest:x.231.38.11 spt:500 dpt:500
ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet.
crypto_isakmp_process_block:src:x.251.175.234, dest:x.231.38.11 spt:500 dpt:500
OAK_QM exchange
oakley_process_quick_mode:
OAK_QM_IDLE
ISAKMP (0): processing SA payload. message ID = 2468953573

ISAKMP : Checking IPSec proposal 1

ISAKMP: transform 1, ESP_DES
ISAKMP: attributes in transform:
ISAKMP: encaps is 1
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (basic) of 28800
ISAKMP: SA life type in kilobytes
ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
ISAKMP: authenticator is HMAC-MD5IPSEC(validate_proposal): invalid local address x.231.38.11

ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP (0): SA not acceptable!
ISAKMP (0): sending NOTIFY message 14 protocol 0
return status is IKMP_ERR_NO_RETRANS
crypto_isakmp_process_block:src:x.251.175.234, dest:x.231.38.11 spt:500 dpt:500
ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet.
crypto_isakmp_process_block:src:x.251.175.234, dest:x.231.38.11 spt:500 dpt:500
ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet.
crypto_isakmp_process_block:src:x.251.175.234, dest:x.231.38.11 spt:500 dpt:500

Pix 1 ACL's:

access-list vpn permit ip 192.168.5.0 255.255.255.0 192.168.6.0 255.255.255.0
access-list vpn permit ip 192.168.1.0 255.255.255.0 192.168.6.0 255.255.255.0
access-list vpn permit ip 192.168.3.0 255.255.255.0 192.168.6.0 255.255.255.0
access-list vpn permit ip 192.168.3.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list vpn permit ip 192.168.5.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list vpn permit ip 192.168.254.0 255.255.255.252 192.168.6.0 255.255.255.0
access-list vpn permit ip host 192.168.254.2 192.168.6.0 255.255.255.0
access-list vpn permit ip host 192.168.253.1 192.168.6.0 255.255.255.0
access-list vpn permit ip 192.168.0.0 255.255.0.0 192.168.6.0 255.255.255.0
access-list vpn permit ip 192.168.254.0 255.255.255.252 192.168.1.0 255.255.255.0
access-list vpn permit ip host 192.168.254.2 192.168.1.0 255.255.255.0
access-list vpn permit ip host 192.168.253.1 192.168.1.0 255.255.255.0
access-list vpn2 permit ip 192.168.5.0 255.255.255.0 192.168.6.0 255.255.255.0
access-list vpn2 permit ip 192.168.3.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list vpn2 permit ip 192.168.3.0 255.255.255.0 192.168.6.0 255.255.255.0
access-list vpn2 permit ip 192.168.254.0 255.255.255.252 192.168.6.0 255.255.255.0
access-list vpn2 permit ip 192.168.253.0 255.255.255.252 192.168.6.0 255.255.255.0
access-list vpn2 permit ip host 192.168.254.2 192.168.6.0 255.255.255.0
access-list vpn2 permit ip host 192.168.253.1 192.168.6.0 255.255.255.0
access-list vpn2 permit ip 192.168.0.0 255.255.0.0 192.168.6.0 255.255.255.0
access-list vpn3 permit ip 192.168.3.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list vpn3 permit ip 192.168.5.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list vpn3 permit ip 192.168.254.0 255.255.255.252 192.168.1.0 255.255.255.0
access-list vpn3 permit ip 192.168.253.0 255.255.255.252 192.168.1.0 255.255.255.0

Pix3 ACL's:

access-list vpn permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list vpn permit ip 192.168.1.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list vpn permit ip 192.168.1.0 255.255.255.0 192.168.254.0 255.255.255.252
access-list vpn permit ip 192.168.1.0 255.255.255.0 192.168.253.0 255.255.255.252
access-list vpn2 permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list vpn2 permit ip 192.168.1.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list vpn2 permit ip 192.168.1.0 255.255.255.0 192.168.254.0 255.255.255.252
access-list vpn2 permit ip 192.168.1.0 255.255.255.0 192.168.253.0 255.255.255.252


Funny thing is I don't get any debug's when I ping from behind PIX3 to behind Pix1, only when I ping from behind Pix1 to behind Pix3.




Thanks for all the help,


Bryan

 

[themut]

Ok... Clear the SAa (clear crypto isakmp sa and clear crypto ipsec sa) then try to ping from behind PIX 1 to remote end. Issue the following commands on PIX 1:
show crypto isamkp sa
show crypto ipsec sa

Now, do the same for PIX 3(clear the SAs and ping from behind PIX 3 to remote end). Issue the same commands on PIX 3. Post the outputs from both PIXes and also post all of your route commands.