VPN Access to subnets using PIX 506E

Posted on 2004-11-11
Last Modified: 2013-11-16
I currently have a pix 506e firewall wich I use for remote access to my network.  This works fine for access the subnet on which the pix is located but I have a few other subnets I would like to be able reach.  Does anyone have any suggestions on what I need to add to enable this.   I have included the PIX configuration below.    I have no problem accessing anyting on the 100.1.1. subnet but I can not see the 110.1.1 or the 120.1.1 subnets at all.    Thanks for any suggestions.

nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password nW8DV9s.Yu0/LLds encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname myFirewall
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
access-list outside permit tcp any host eq smtp
access-list outside permit tcp any host eq telnet
access-list outside permit tcp any any eq domain
access-list outside permit udp any any eq domain
access-list outside permit icmp any any
access-list outside permit tcp any host eq www
access-list 100 permit ip
access-list outside3 permit tcp any any eq domain
access-list outside3 permit udp any any eq domain
access-list outside3 permit icmp any any
access-list outside3 permit tcp any host eq www
access-list outside3 permit tcp any host eq smtp
access-list outside3 permit tcp any host eq telnet
access-list outside3 permit tcp any host eq https
pager lines 24
logging on
logging timestamp
logging trap debugging
logging host inside
interface ethernet0 10full
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside
ip address inside
ip audit info action alarm
ip audit attack action alarm
ip local pool IPPool1
pdm location inside
pdm location inside
pdm location inside
pdm location inside
pdm location inside
pdm location inside
pdm logging errors 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 100
nat (inside) 1 0 0 norandomseq
static (inside,outside) netmask 0 0
access-group outside3 in interface outside
route outside 1
route inside 1
route inside 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http inside
http inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set ESP-DES-SHA esp-des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup Remote1 address-pool IPPool1
vpngroup Remote1 idle-time 1800
vpngroup Remote1 password ********
telnet inside
telnet inside
telnet timeout 5
ssh timeout 5
terminal width 80
: end
Question by:qvfps
    LVL 79

    Accepted Solution

    Two things that you need:
     1) add the other subnets to the nat 0 access-list
       access-list 100 permit ip
       access-list 100 permit ip
       access-list 100 permit ip

    2) on the router that is, be sure it either sets its default gateway to the PIX IP address, or at least has a static route for the subnet pointing to the PIX inside IP address...


    Author Comment

    That was what I needed.   Thanks a lot for the quick reply


    Featured Post

    Highfive + Dolby Voice = No More Audio Complaints!

    Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

    Join & Write a Comment

    If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
    Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
    To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
    Hi everyone! This is Experts Exchange customer support.  This quick video will show you how to change your primary email address.  If you have any questions, then please Write a Comment below!

    729 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    22 Experts available now in Live!

    Get 1:1 Help Now