I'm trying to add a second VPN tunnel on my PIX. I have one tunnel up with basically this configuration:
access-list 90 permit ip 10.10.1.0 255.255.255.0 any
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address 90
crypto map outside_map 20 set peer 10.1.1.1
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map interface EPORT
isakmp enable EPORT
isakmp key ******** address 10.1.1.1 netmask 255.255.255.255 no-xauth no-conf
ig-mode
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 28800
But now I want to bring a tunnel up to a second location that uses 192.168.x.x addresses on the other LAN. I tried adding this:
access-list 85 permit ip 10.10.1.0 255.255.255.0 192.168.0.0 255.255.0.0
crypto map outside_map 30 ipsec-isakmp
crypto map outside_map 30 match address 85
crypto map outside_map 30 set peer 10.30.1.1
isakmp key ************ address 10.30.1.1 netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3des
isakmp policy 30 hash sha
isakmp policy 30 group 5
isakmp policy 30 lifetime 28800
The access-list 85 is showing no hits even though I'm pinging 192 addresses (they're currently going over the other tunnel). I've never done more than one tunnel before so I'm unsure where I'm going wrong. I should emphasize that I need all traffic that does not match 192.168.0.0/16 to go over the first tunnel.
access-list 90 permit ip 10.10.1.0 255.255.255.0 any
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address 90
crypto map outside_map 20 set peer 10.1.1.1
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map interface EPORT
isakmp enable EPORT
isakmp key ******** address 10.1.1.1 netmask 255.255.255.255 no-xauth no-conf
ig-mode
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 28800
But now I want to bring a tunnel up to a second location that uses 192.168.x.x addresses on the other LAN. I tried adding this:
access-list 85 permit ip 10.10.1.0 255.255.255.0 192.168.0.0 255.255.0.0
crypto map outside_map 30 ipsec-isakmp
crypto map outside_map 30 match address 85
crypto map outside_map 30 set peer 10.30.1.1
isakmp key ************ address 10.30.1.1 netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3des
isakmp policy 30 hash sha
isakmp policy 30 group 5
isakmp policy 30 lifetime 28800
The access-list 85 is showing no hits even though I'm pinging 192 addresses (they're currently going over the other tunnel). I've never done more than one tunnel before so I'm unsure where I'm going wrong. I should emphasize that I need all traffic that does not match 192.168.0.0/16 to go over the first tunnel.