?
Solved

Remote user VPN connection to remote office via our HO VPN to that office not working. Cisco PIX equipement

Posted on 2006-04-27
3
Medium Priority
?
279 Views
Last Modified: 2013-11-16
We have set up our location with a PIX 506e as our firewall to the Internet. We used the 10.1.1.0 as our subnet in this location called Dallas. Our remote office uses a Cisco PIX 501 as well for their connection to the Internet. They used the 192.1.1.0 as their subnet. We went through all the correct actions to get a static VPN connection setup between the two. This has been going now for a week and seems to be doing just what we need. Now would like to finish this up to where my own VPN remote users can connect into our dallas site and then use that static VPN connection to do what they need. How would we go about setting that up for use? and is that the best way to occumplish this?

The dallas laptop users that connect in via the VPN will get a 10.1.5.0 subnet IP. i am including the PIX configs for both locations.

Thanks

Doug
--------------------

setup

                                          VPN  (VPN tunnel 10.1.5.0 subnet)
New static VPN                      |
Other Office---PIX (501)----internet------PIX (506e)-----Inside (10.1.1.0 Subnet)
192.168.1.0


Dallas PIX config

Building configuration...
: Saved
:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password nope encrypted
passwd nope encrypted
hostname tx-fw
domain-name name.local
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
no fixup protocol tftp 69
names
name 10.1.1.30 DFW
access-list inside_access_in permit ip any any
access-list outside_in permit tcp any host a.b.c.27 eq smtp
access-list outside_in permit tcp 10.1.5.0 255.255.255.0 a.b.c.0 255.255.255.0
access-list outside_in permit tcp any host a.b.c.28 eq https
access-list inside_outbound_nat0_acl permit ip 10.1.1.0 255.255.255.0 10.1.5.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 170 permit ip 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list split permit ip 10.1.1.0 255.255.255.0 10.1.5.0 255.255.255.0
access-list 100 permit ip 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list outside_cryptomap_dyn_20 permit ip any 10.1.5.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside a.b.c.26 255.255.255.248
ip address inside 10.1.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool VPN-Pool 10.1.5.70-10.1.5.254
pdm location DFW 255.255.255.255 inside
pdm location 10.1.5.0 255.255.255.0 inside
pdm location 10.1.5.0 255.255.255.0 outside
pdm location 10.1.1.0 255.255.255.0 outside
pdm location 192.168.1.0 255.255.255.0 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 a.b.c.27
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp a.b.c.28 https DFW https netmask 255.255.255.255 0 0
static (inside,outside) tcp a.b.c.27 smtp DFW smtp netmask 255.255.255.255 0 0
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 a.b.c.25 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa-server partnerauth protocol radius
aaa-server partnerauth (inside) host DFW BMLLCTX timeout 5
http server enable
http 10.1.1.0 255.255.255.0 inside
http 10.1.5.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto ipsec transform-set SummitSet esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map dynmap 10 set transform-set SummitSet
crypto dynamic-map dynmap 20 set transform-set myset
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication LOCAL
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap client authentication partnerauth
crypto map SummitMap 10 ipsec-isakmp
crypto map SummitMap 10 match address 170
crypto map SummitMap 10 set peer x.y.z.226
crypto map SummitMap 10 set transform-set SummitSet
crypto map SummitMap 60 ipsec-isakmp dynamic dynmap
crypto map SummitMap client authentication partnerauth
crypto map SummitMap interface outside
isakmp enable outside
isakmp key ******** address x.y.z.226 netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 10000
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup TX-VPN address-pool VPN-Pool
vpngroup TX-VPN dns-server DFW DFW
vpngroup TX-VPN wins-server DFW DFW
vpngroup TX-VPN default-domain name.local
vpngroup TX-VPN split-tunnel split
vpngroup TX-VPN pfs
vpngroup TX-VPN idle-time 1800
vpngroup TX-VPN password ********
telnet 10.1.1.0 255.255.255.0 inside
telnet 10.1.5.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
management-access inside
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 750
username plamont password nope encrypted privilege 15
username dholcombe password nope encrypted privilege 15
vpnclient server 10.1.1.1
vpnclient mode client-mode
vpnclient vpngroup TX-VPN password ********
terminal width 80
Cryptochecksum:8658080ae8fdc9a5d1af5fa4db6ecc0b
: end
[OK]



And here is the configure for the other office router



PIX Version 6.3(4)
interface ethernet0 10baset
interface ethernet1 10full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password nope encrypted
passwd nope encrypted
hostname nope
domain-name nope.net
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 120 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list split permit ip 192.168.1.0 255.255.255.0 192.168.254.0
255.255.255.0
access-list 130 permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list 100 permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list 100 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 100 permit ip 192.168.1.0 255.255.255.0 192.168.254.0 255.255.255.0
access-list 100 permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list 100 permit ip 192.168.1.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list 100 permit ip 192.168.1.0 255.255.255.0 192.168.7.0 255.255.255.0
access-list 140 permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list outbound deny tcp any any eq aol
access-list outbound deny tcp any any eq 5050
access-list outbound deny tcp any any eq 1863
access-list outbound permit ip any any
access-list 150 permit ip 192.168.1.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list 170 permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list 100 permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside X.Y.Z.226 255.255.255.240
ip address inside 192.168.1.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool SummitPool 192.168.254.10-192.168.254.30
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 100
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
conduit permit icmp any any
route outside 0.0.0.0 0.0.0.0 X.Y.Z.225 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication telnet console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server inside 192.168.1.112 ./config/sac
floodguard enable
sysopt connection tcpmss 1000
sysopt connection permit-ipsec
crypto ipsec transform-set SummitSet esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set SummitSet
crypto map SummitMap 20 ipsec-isakmp
crypto map SummitMap 20 match address 120
crypto map SummitMap 20 set peer m.n.o.141
crypto map SummitMap 20 set transform-set SummitSet
crypto map SummitMap 30 ipsec-isakmp
crypto map SummitMap 30 match address 130
crypto map SummitMap 30 set peer m.n.o.57
crypto map SummitMap 30 set transform-set SummitSet
crypto map SummitMap 40 ipsec-isakmp
crypto map SummitMap 40 match address 140
crypto map SummitMap 40 set peer m.n.o.78
crypto map SummitMap 40 set transform-set SummitSet
crypto map SummitMap 50 ipsec-isakmp
crypto map SummitMap 50 match address 150
crypto map SummitMap 50 set peer m.n.o.106
crypto map SummitMap 50 set transform-set SummitSet
crypto map SummitMap 60 ipsec-isakmp dynamic dynmap
crypto map SummitMap 70 ipsec-isakmp
crypto map SummitMap 70 match address 170
crypto map SummitMap 70 set peer a.b.c.26
crypto map SummitMap 70 set transform-set SummitSet
crypto map SummitMap interface outside
isakmp enable outside
isakmp key ******** address m.n.o.57 netmask 255.255.255.255 no-xauth
no-config-mode
isakmp key ******** address m.n.o.141 netmask 255.255.255.255 no-xauth
no-config-mode
isakmp key ******** address m.n.o.78 netmask 255.255.255.255 no-xauth
no-config-mode
isakmp key ******** address m.n.o.106 netmask 255.255.255.255 no-xauth
no-config-mode
isakmp key ******** address a.b.c.26 netmask 255.255.255.255
no-xauth no-config-mode
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 10000
vpngroup SummitGroup address-pool SummitPool
vpngroup SummitGroup dns-server 192.168.1.10
vpngroup SummitGroup wins-server 192.168.1.10
vpngroup SummitGroup split-tunnel split
vpngroup SummitGroup idle-time 1800
vpngroup SummitGroup password ********
vpngroup SummitVPN address-pool SummitPool
vpngroup SummitVPN dns-server 192.168.1.10
vpngroup SummitVPN wins-server 192.168.1.10
vpngroup SummitVPN default-domain nope.int
vpngroup SummitVPN split-tunnel split
vpngroup SummitVPN idle-time 1800
vpngroup SummitVPN password ********
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 20
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
console timeout 0
username admin password nope encrypted privilege 15
terminal width 80
Cryptochecksum:fe938b8fea65b28e3171c4ec25ae7ac6
0
Comment
Question by:Douglas_H
3 Comments
 
LVL 9

Accepted Solution

by:
stressedout2004 earned 1500 total points
ID: 16558415
Hi Doug,

You lost me on this:

"Now would like to finish this up to where my own VPN remote users can connect into our dallas site and then use that static VPN connection to do what they need"

Do you mean that you wanted to be able to connect via VPN client to your Dallas site and from that same VPN connection be able to access the network on the remote site (PIX 501)? Or is it that the VPN client connection to Dallas is not working?

If what you wanted to do is to be able to access the remote site (501) thru your VPN client connection to Dallas, then this is not possible on PIX version 6.3 because it won't allow you to redirect traffic on the same interface it came in on.
0
 

Author Comment

by:Douglas_H
ID: 16558577
Yeah after rereading that statement it doesn't sound correct. Your statement is correct in what I want. So all that needs to be done is update the PIX to a newer version that can do this? if so what version of code and would it need to be on the 506e PIX or the 501 that needs it?

Thanks!
0
 
LVL 19

Expert Comment

by:nodisco
ID: 16560214
hi Douglas

PIX version 7 supports IPSec tunnel "U-turn" but it is only available on PIX models 515E and above so it will not help you.  Your best bet would be to configure the second PIX for VPN client access also and create a second profile for your clients for when they need to reach this network.  Not ideal, but workable.

hth
0

Featured Post

Cyber Threats to Small Businesses (Part 1)

This past May, Webroot surveyed more than 600 IT decision-makers at medium-sized companies to see how these small businesses perceived new threats facing their organizations.  Read what Webroot CISO, Gary Hayslip, has to say about the survey in part 1 of this 2-part blog series.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses
Course of the Month14 days, 15 hours left to enroll

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question