Client VPN through IPSEC tunnel

Posted on 2004-10-07
Medium Priority
Last Modified: 2010-04-12

I have a problem accessing several servers over a VPN connection through a VPN tunnel.

My situation is like this:

I have 2 Cisco PIX 515E devices and several Cisco PIX VPN4 clients.

both of the PIXes are connected via an IPSEC tunnel. PIX #1 can also be used as an endpoint voor the VPN clients. Both the tunnel and the clients access work fine, but now I want to be able to connect to machines which are behind PIX #2. Therefore I added an access-list rule. If I test it now and check the logging, it says DENY (No Xlate). but when I want to add that rule is states that it is a duplicate entry.

What's wrong?

Here's (part of) the config:
PIX Version 6.3(3)
access-list NoNAT permit ip LAN-net VPN-net
access-list NoNAT permit ip LAN-net Hosting-net
access-list NoNAT permit ip VPN-net Hosting-net

access-list VPNclients permit ip LAN-net VPN-net
access-list VPNclients permit ip DMZ-net VPN-net
access-list VPNclients permit ip Hosting-net VPN-net
access-list VPNclients permit ip VPN-net Hosting-net

access-list VPNtoHosting permit ip LAN-net Hosting-net
access-list VPNtoHosting permit ip VPN-net Hosting-net

ip local pool VPN-DHCPpool

global (outside) 10 interface

nat (inside) 0 access-list NoNAT
nat (inside) 10 0 0

route outside 1

aaa-server VPNClientAuth (inside) host server ********* timeout 5

sysopt connection permit-ipsec

crypto ipsec transform-set VPNset esp-des esp-md5-hmac
crypto dynamic-map DynVPNClientsMap 10 set transform-set VPNset
crypto map VPNAccess 10 ipsec-isakmp dynamic DynVPNClientsMap
crypto map VPNAccess 20 ipsec-isakmp
crypto map VPNAccess 20 match address VPNtoHosting
crypto map VPNAccess 20 set peer maxhos-rou001
crypto map VPNAccess 20 set transform-set VPNset
crypto map VPNAccess client authentication VPNClientAuth
crypto map VPNAccess interface outside

isakmp enable outside
isakmp key ******** address maxhos-rou001 netmask
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400

vpngroup VPNClientsGroup address-pool VPN-DHCPpool
vpngroup VPNClientsGroup split-tunnel VPNclients
vpngroup VPNClientsGroup idle-time 1800

Can anyone be of advice?

Question by:VMarcus
1 Comment

Accepted Solution

Seamless-IT earned 500 total points
ID: 12256064
If you connect to PIX1 via a vpn client you will not be able to access the site behind PIX2 and vice versa.

The PIX "PIX1" does not allow traffic that comes in one an interface "VPN Client" go back out the same interface "destination PIX2". In other words the PIX wants traffice to flow from the outside to the inside or inside to the outside. It sounds like you're trying to connect to the outside inside via the vpn client and the go right back out the outside to PIX2.


Featured Post

Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Sometimes, you want your microsoft VPN to route all the traffic to the remote network. Usually your employer network. This makes it possible to access all the nodes inside this remote LAN, even if they have no "public DNS" entries. To do so, you wo…
If you use NetMotion Mobility on your PC and plan to upgrade to Windows 10, it may not work unless you take these steps.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Suggested Courses

607 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question