[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

PIX InterVlan Routing

Posted on 2006-04-06
7
Medium Priority
?
1,060 Views
Last Modified: 2013-11-16
The Setup:
VPNClient 4.6 --- Internet --- (outside) PIX 515 (3 inside subinterfaces VLAN 2, 3, 9) --- CAT 4506

INSIDE subinterfaces on PIX
VLAN 2 (192.168.2.0/24)
VLAN 3 (192.168.3.0/24)
VLAN 9 (192.168.9.0/24 - DMZ)

VPN Client receives a 192.168.2.X (VLAN 2) address from VPN IP-Pool.

The Question:
What is the best way to allow a VPNClient access to the 192.168.3.X network (VLAN3)?

Thanks,
Brian
0
Comment
Question by:brischaeffer
7 Comments
 
LVL 8

Expert Comment

by:MarkDozier
ID: 16394757
The best way would be a static route if the client is in one place with the same IP all the time.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 16395129
Add the VLAN3 subnet to the "nonat" access-list and the split-tunnel acl if you use one.
I would suggest creating a new IP subnet just for VPN clients, then create two access-lists:

ip local pool VPNCLIENTS 192.168.10.1-192.168.10.100
access-list nonatvlan2 permit ip 192.168.2.0 255.255.255.0 192.168.10.0 255.255.255.128
access-list nonatvlan3 permit ip 192.168.3.0 255.255.255.0 192.168.10.0 255.255.255.128
access-list nonatvlan9 permit ip 192.168.9.0 255.255.255.0 192.168.10.0 255.255.255.128

access-list splittunnel permit ip 192.168.2.0 255.255.255.0 192.168.10.0 255.255.255.128
access-list splittunnel permit ip 192.168.3.0 255.255.255.0 192.168.10.0 255.255.255.128
access-list splittunnel permit ip 192.168.9.0 255.255.255.0 192.168.10.0 255.255.255.128

nat (vlan2) 0 access-list nonatvlan2
nat (vlan3) 0 access-list nonatvlan3
nat (vlan9) 0 access-list nonatvlan9

vpngroup YOURGROUP split-tunnel splittunnel

As long as whatever is the default gateway for each of these subnets, if it is the 4500, either points to the PIX as its DG, or has a static route for the vpnclient subnet, you're good to go..
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 16396963
Follow lrmoore's comments, just *DONT* put the VPN Clients in the same network as internal => Communication problems can get horrible.

Cheers,
Rajesh
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 

Author Comment

by:brischaeffer
ID: 16397644
Ok, I am running PIX version 7.0(1), and below is a partial config of what I have now.  
The remote VPNClient will be assigned a 192.168.10.X address, and they need to be able to reach all subnets (vlans 2, 3, & 9).
Please confirm.

interface Ethernet1
 speed 100
 duplex full
 no nameif
 no security-level
 no ip address
!
interface Ethernet1.2
 vlan 2
 nameif INSIDE
 security-level 100
 ip address 192.168.2.1 255.255.255.0
!
interface Ethernet1.3
 vlan 3
 nameif VLAN3
 security-level 100
 ip address 192.168.3.1 255.255.255.0
!
interface Ethernet1.9
 vlan 9
 nameif DMZ
 security-level 50
 ip address 192.168.9.1 255.255.255.0
!
same-security-traffic permit intra-interface
access-list INSIDE_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 192.168.10.0 255.255.255.128
access-list VLAN3_nat0_outbound extended permit ip 192.168.3.0 255.255.255.0 192.168.10.0 255.255.255.128
access-list DMZ_nat0_outbound extended permit ip 192.168.9.0 255.255.255.0 192.168.10.0 255.255.255.128

access-list netgroup_splitTunnelAcl standard permit 192.168.2.0 255.255.255.0
access-list netgroup_splitTunnelAcl standard permit 192.168.3.0 255.255.255.0
access-list netgroup_splitTunnelAcl standard permit 192.168.9.0 255.255.255.0

access-list outside_cryptomap_dyn_20 extended permit ip any 192.168.10.0 255.255.255.128

global (outside) 1 interface
nat (INSIDE) 0 access-list INSIDE_nat0_outbound
nat (INSIDE) 1 0.0.0.0 0.0.0.0
nat (VLAN3) 0 access-list VLAN3_nat0_outbound
nat (DMZ) 0 access-list DMZ_nat0_outbound
route outside 0.0.0.0 0.0.0.0 XXX.XXX.XXX.XXX 1

ip local pool vpnpool 192.168.10.1-192.168.10.100 mask 255.255.255.255

0
 
LVL 79

Accepted Solution

by:
lrmoore earned 2000 total points
ID: 16400151
Looks ok. What's not working now?
What is the default gateway for systems on vlan3 that you need access to from the client ?
0
 

Author Comment

by:brischaeffer
ID: 16400415
Works like a champ.
Strange things were going on yesterday.
Initiated a factory default reset on PIX, reconfigured with same config and now the PIX and I are having a good day.
Thanks for clearing the cobwebs!
-Brian
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 16401314
Glad you're working!
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you’re involved with your company’s wide area network (WAN), you’ve probably heard about SD-WANs. They’re the “boy wonder” of networking, ostensibly allowing companies to replace expensive MPLS lines with low-cost Internet access. But, are they …
Unable to change the program that handles the scan event from a network attached Canon/Brother printer/scanner. This means you'll always have to choose which program handles this action, e.g. ControlCenter4 (in the case of a Brother).
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question