• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 306
  • Last Modified:

VPN Access to subnets using PIX 506E

I currently have a pix 506e firewall wich I use for remote access to my network.  This works fine for access the subnet on which the pix is located but I have a few other subnets I would like to be able reach.  Does anyone have any suggestions on what I need to add to enable this.   I have included the PIX configuration below.    I have no problem accessing anyting on the 100.1.1. subnet but I can not see the 110.1.1 or the 120.1.1 subnets at all.    Thanks for any suggestions.

nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password nW8DV9s.Yu0/LLds encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname myFirewall
domain-name mydomain.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list outside permit tcp any host 100.1.1.4 eq smtp
access-list outside permit tcp any host 100.1.1.4 eq telnet
access-list outside permit tcp any any eq domain
access-list outside permit udp any any eq domain
access-list outside permit icmp any any
access-list outside permit tcp any host 100.1.1.4 eq www
access-list 100 permit ip 100.1.1.0 255.255.255.0 100.1.2.0 255.255.255.0
access-list outside3 permit tcp any any eq domain
access-list outside3 permit udp any any eq domain
access-list outside3 permit icmp any any
access-list outside3 permit tcp any host 130.1.1.114 eq www
access-list outside3 permit tcp any host 130.1.1.114 eq smtp
access-list outside3 permit tcp any host 130.1.1.114 eq telnet
access-list outside3 permit tcp any host 130.1.1.114 eq https
pager lines 24
logging on
logging timestamp
logging trap debugging
logging host inside 100.1.1.56
interface ethernet0 10full
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside 130.1.1.118 255.255.255.0
ip address inside 100.1.1.21 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool IPPool1 100.1.2.1-100.1.2.254
pdm location 110.1.1.0 255.255.255.0 inside
pdm location 100.1.1.4 255.255.255.255 inside
pdm location 100.1.1.56 255.255.255.255 inside
pdm location 120.1.1.0 255.255.255.0 inside
pdm location 100.1.1.51 255.255.255.255 inside
pdm location 100.1.1.56 255.255.255.255 inside
pdm logging errors 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 100
nat (inside) 1 0.0.0.0 0.0.0.0 0 0 norandomseq
static (inside,outside) 130.1.1.114 100.1.1.4 netmask 255.255.255.255 0 0
access-group outside3 in interface outside
route outside 0.0.0.0 0.0.0.0 130.1.1.113 1
route inside 110.1.1.0 255.255.255.0 100.1.1.1 1
route inside 120.1.1.0 255.255.255.0 100.1.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 100.1.1.56 255.255.255.255 inside
http 100.1.1.51 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set ESP-DES-SHA esp-des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup Remote1 address-pool IPPool1
vpngroup Remote1 idle-time 1800
vpngroup Remote1 password ********
telnet 100.1.1.56 255.255.255.255 inside
telnet 100.1.1.51 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:d15a26a6231b26fdefa7b9fc98a51e61
: end
0
qvfps
Asked:
qvfps
1 Solution
 
lrmooreCommented:
Two things that you need:
 1) add the other subnets to the nat 0 access-list
   access-list 100 permit ip 100.1.1.0 255.255.255.0 100.1.2.0 255.255.255.0
   access-list 100 permit ip 110.1.1.0 255.255.255.0 100.1.2.0 255.255.255.0
   access-list 100 permit ip 120.1.1.0 255.255.255.0 100.1.2.0 255.255.255.0

2) on the router that is 100.1.1.1, be sure it either sets its default gateway to the PIX IP address, or at least has a static route for the 100.1.2.0/24 subnet pointing to the PIX inside IP address...



0
 
qvfpsAuthor Commented:
That was what I needed.   Thanks a lot for the quick reply

Greg
0

Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now