Client VPN through IPSEC tunnel

Hello,

I have a problem accessing several servers over a VPN connection through a VPN tunnel.

My situation is like this:

I have 2 Cisco PIX 515E devices and several Cisco PIX VPN4 clients.

both of the PIXes are connected via an IPSEC tunnel. PIX #1 can also be used as an endpoint voor the VPN clients. Both the tunnel and the clients access work fine, but now I want to be able to connect to machines which are behind PIX #2. Therefore I added an access-list rule. If I test it now and check the logging, it says DENY (No Xlate). but when I want to add that rule is states that it is a duplicate entry.

What's wrong?

Here's (part of) the config:
PIX Version 6.3(3)
access-list NoNAT permit ip LAN-net 255.255.255.0 VPN-net 255.255.255.0
access-list NoNAT permit ip LAN-net 255.255.255.0 Hosting-net 255.255.255.0
access-list NoNAT permit ip VPN-net 255.255.255.0 Hosting-net 255.255.255.0

access-list VPNclients permit ip LAN-net 255.255.255.0 VPN-net 255.255.255.0
access-list VPNclients permit ip DMZ-net 255.255.255.0 VPN-net 255.255.255.0
access-list VPNclients permit ip Hosting-net 255.255.255.0 VPN-net 255.255.255.0
access-list VPNclients permit ip VPN-net 255.255.255.0 Hosting-net 255.255.255.0

access-list VPNtoHosting permit ip LAN-net 255.255.255.0 Hosting-net 255.255.255.0
access-list VPNtoHosting permit ip VPN-net 255.255.255.0 Hosting-net 255.255.255.0

ip local pool VPN-DHCPpool 192.168.22.1-192.168.22.254

global (outside) 10 interface

nat (inside) 0 access-list NoNAT
nat (inside) 10 0.0.0.0 0.0.0.0 0 0

route outside 0.0.0.0 0.0.0.0 80.127.139.209 1

aaa-server VPNClientAuth (inside) host server ********* timeout 5

sysopt connection permit-ipsec

crypto ipsec transform-set VPNset esp-des esp-md5-hmac
crypto dynamic-map DynVPNClientsMap 10 set transform-set VPNset
crypto map VPNAccess 10 ipsec-isakmp dynamic DynVPNClientsMap
crypto map VPNAccess 20 ipsec-isakmp
crypto map VPNAccess 20 match address VPNtoHosting
crypto map VPNAccess 20 set peer maxhos-rou001
crypto map VPNAccess 20 set transform-set VPNset
crypto map VPNAccess client authentication VPNClientAuth
crypto map VPNAccess interface outside

isakmp enable outside
isakmp key ******** address maxhos-rou001 netmask 255.255.255.255
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400

vpngroup VPNClientsGroup address-pool VPN-DHCPpool
vpngroup VPNClientsGroup split-tunnel VPNclients
vpngroup VPNClientsGroup idle-time 1800


Can anyone be of advice?

regards,
Vince
LVL 2
VMarcusAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Seamless-ITCommented:
If you connect to PIX1 via a vpn client you will not be able to access the site behind PIX2 and vice versa.

The PIX "PIX1" does not allow traffic that comes in one an interface "VPN Client" go back out the same interface "destination PIX2". In other words the PIX wants traffice to flow from the outside to the inside or inside to the outside. It sounds like you're trying to connect to the outside inside via the vpn client and the go right back out the outside to PIX2.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
VPN

From novice to tech pro — start learning today.