inteq
asked on
Cisco VPN Client
I just changed my firewall to Cisco PIX 506,My remote is using Cisco VPN Client to connect to headquaters,the connection is working fine they can succesfully connect to HQ,but when my users in HQ try to connect to my remote users PC they are unable to connect,so what should I do to make the users in HQ to be able to connect back my to my remote site users printers & PC,s
Thanks in Advance
Thanks in Advance
ASKER
PIX 506 is located at HQ,Yes I want the HQ Users to connect back to the VPN Client Users and the only resource which I want to access is printers connected to Clients Machines,so Users can send the print Jobs from HQ to be printed at remote site which is connected using Cisco VPN Client.
Thanks
Thanks
How is your acl configured for your VPN connections ?
ASKER
The ACL is open for everything for the local pool used to assign to the remote users .I only have problem to connect back from Network which is inside the pix to access the resources on the REmote Subnet which is connected using Cisco VPN Client.
ASKER
Expertsssssssss...........
AnY Comment PLZZZZZZZZZZZ
ITS URGENT
AnY Comment PLZZZZZZZZZZZ
ITS URGENT
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
The VPN Client gets an IP address when he is connected to PIX at HQ when he use Cisco VPN Client to connect.The connected client can access the resources in HQ without any problem but when users from HQ wants to acess the resources on the clients machines they can't get through.Even I can't Ping to the clients connnected using thier IP addresses which is given by PIX.
How I make my HQ users to connect back to resources shred at clients Network.
The above mentioned solution I tried but it doesn't seem to be working.Below is the PIX Script so if you can please specify where I should put these lines:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password OyUlMbG6g3JRSjD3 encrypted
passwd OyUlMbG6g3JRSjD3 encrypted
hostname pix
domain-name abc.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list abcvpn_splittunnelAcl permit ip 192.168.1.0 255.255.255.0 any
access-list inside_access_in permit tcp 192.168.1.0 255.255.255.0 any eq domain
access-list inside_access_in remark
access-list inside_access_in permit udp 192.168.1.0 255.255.255.0 any eq domain
access-list inside_access_in permit tcp 192.168.1.0 255.255.255.0 any eq www
access-list inside_access_in permit tcp 192.168.1.0 255.255.255.0 any eq https
access-list inside_access_in permit tcp 192.168.1.0 255.255.255.0 any eq pop3
access-list inside_access_in permit tcp 192.168.1.0 255.255.255.0 any eq smtp
access-list inside_access_in permit icmp 192.168.1.0 255.255.255.0 any echo-reply
access-list inside_access_in permit tcp 192.168.1.0 255.255.255.0 any eq ftp
access-list inside_access_in permit tcp 192.168.1.0 255.255.255.0 any eq ftp-data
access-list inside_access_in permit tcp 192.168.1.0 255.255.255.0 any eq telnet
access-list outside_access_in remark
access-list outside_access_in permit icmp any any echo-reply
access-list outside_access_in permit ip 192.168.17.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list outside_access_in permit tcp any host 203.125.127.210 eq smtp
access-list outside_access_in permit icmp any host 203.125.127.210
access-list inside_nat0_outbound permit ip any 192.168.17.0 255.255.255.0
access-list outside_cryptomap_dyn1 permit ip any 192.168.17.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 213.25.27.2 255.255.255.248
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnabc 192.168.17.1-192.168.17.30
pdm location 192.168.1.0 255.255.255.0 inside
pdm location 192.168.1.10 255.255.255.255 inside
pdm location 192.168.17.0 255.255.255.0 outside
pdm history enable
arp timeout 18000
global (outside) 10 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 213.25.27.21 192.168.1.10 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 213.25.27.9 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:30:00 udp 0:02:00 rpc 0:15:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:04:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 1 match address outside_cryptomap_dyn1
crypto dynamic-map outside_dyn_map 1 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 1800
vpngroup abcvpn address-pool vpnabc
vpngroup abcvpn dns-server 165.21.83.88 203.120.90.40
vpngroup abcvpn default-domain abc.com
vpngroup abcvpn split-tunnel apvpn_splittunnelAcl
vpngroup abcvpn idle-time 7200
vpngroup abcvpn password ********
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 30
ssh timeout 30
console timeout 0
terminal width 80
Cryptochecksum:e06b851898c
: end
PLease help as this is very urgent.
Thanks
Thanks
How I make my HQ users to connect back to resources shred at clients Network.
The above mentioned solution I tried but it doesn't seem to be working.Below is the PIX Script so if you can please specify where I should put these lines:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password OyUlMbG6g3JRSjD3 encrypted
passwd OyUlMbG6g3JRSjD3 encrypted
hostname pix
domain-name abc.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list abcvpn_splittunnelAcl permit ip 192.168.1.0 255.255.255.0 any
access-list inside_access_in permit tcp 192.168.1.0 255.255.255.0 any eq domain
access-list inside_access_in remark
access-list inside_access_in permit udp 192.168.1.0 255.255.255.0 any eq domain
access-list inside_access_in permit tcp 192.168.1.0 255.255.255.0 any eq www
access-list inside_access_in permit tcp 192.168.1.0 255.255.255.0 any eq https
access-list inside_access_in permit tcp 192.168.1.0 255.255.255.0 any eq pop3
access-list inside_access_in permit tcp 192.168.1.0 255.255.255.0 any eq smtp
access-list inside_access_in permit icmp 192.168.1.0 255.255.255.0 any echo-reply
access-list inside_access_in permit tcp 192.168.1.0 255.255.255.0 any eq ftp
access-list inside_access_in permit tcp 192.168.1.0 255.255.255.0 any eq ftp-data
access-list inside_access_in permit tcp 192.168.1.0 255.255.255.0 any eq telnet
access-list outside_access_in remark
access-list outside_access_in permit icmp any any echo-reply
access-list outside_access_in permit ip 192.168.17.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list outside_access_in permit tcp any host 203.125.127.210 eq smtp
access-list outside_access_in permit icmp any host 203.125.127.210
access-list inside_nat0_outbound permit ip any 192.168.17.0 255.255.255.0
access-list outside_cryptomap_dyn1 permit ip any 192.168.17.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 213.25.27.2 255.255.255.248
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnabc 192.168.17.1-192.168.17.30
pdm location 192.168.1.0 255.255.255.0 inside
pdm location 192.168.1.10 255.255.255.255 inside
pdm location 192.168.17.0 255.255.255.0 outside
pdm history enable
arp timeout 18000
global (outside) 10 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 213.25.27.21 192.168.1.10 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 213.25.27.9 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:30:00 udp 0:02:00 rpc 0:15:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:04:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 1 match address outside_cryptomap_dyn1
crypto dynamic-map outside_dyn_map 1 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 1800
vpngroup abcvpn address-pool vpnabc
vpngroup abcvpn dns-server 165.21.83.88 203.120.90.40
vpngroup abcvpn default-domain abc.com
vpngroup abcvpn split-tunnel apvpn_splittunnelAcl
vpngroup abcvpn idle-time 7200
vpngroup abcvpn password ********
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 30
ssh timeout 30
console timeout 0
terminal width 80
Cryptochecksum:e06b851898c
: end
PLease help as this is very urgent.
Thanks
Thanks
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks A lot .....!!!!!!!
It worked ....\
Now I have 1 more question as know my network setup.my remote site is using ADSL Connection(Dynamic) to connect to internet & to headquaters.
If i deploy a Cisco 877 ADSL Router can I create a permanent VPN to Headquaters?
Thanks for you help.
It worked ....\
Now I have 1 more question as know my network setup.my remote site is using ADSL Connection(Dynamic) to connect to internet & to headquaters.
If i deploy a Cisco 877 ADSL Router can I create a permanent VPN to Headquaters?
Thanks for you help.
Yes you can. Just configure the HQ to accept dynamic point to point VPN connection and you will be all set..
ASKER
How to do that?
ASKER
How to do that?
ASKER
How to do that?
ASKER
How to do that?
ASKER
How to do that?
ASKER
How to do that?
ASKER
How to do that?
ASKER
How to do that?
ASKER
How to do that?
ASKER
How to do that?
Assuming you have deployed the 877 Router and that the interal network
of the 877 is 192.168.2.0/24, you will need the following changes:
On the PIX:
isakmp key changeme address 0.0.0.0 netmask 0.0.0.0 no-xauth no-config-mode
no crypto dynamic-map outside_dyn_map 1 match address outside_cryptomap_dyn1
access-list inside_nat0_outbound permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list inside_access_in permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
On the 877 router:
crypto isakmp policy 10
hash md5
enc 3des
group 2
authentication pre-share
crypto isakmp key changeme address 213.25.27.2 no-xauth
crypto ipsec transform-set 3des esp-3des esp-md5-hmac
access-list 120 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
crypto map main_vpn 10 ipsec-isakmp
set peer 213.25.27.2
set transform-set 3des
match address 120
Then you need to apply the crypto map on the WAN interface. But pretty much, for the
VPN part, the above is all you need.
of the 877 is 192.168.2.0/24, you will need the following changes:
On the PIX:
isakmp key changeme address 0.0.0.0 netmask 0.0.0.0 no-xauth no-config-mode
no crypto dynamic-map outside_dyn_map 1 match address outside_cryptomap_dyn1
access-list inside_nat0_outbound permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list inside_access_in permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
On the 877 router:
crypto isakmp policy 10
hash md5
enc 3des
group 2
authentication pre-share
crypto isakmp key changeme address 213.25.27.2 no-xauth
crypto ipsec transform-set 3des esp-3des esp-md5-hmac
access-list 120 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
crypto map main_vpn 10 ipsec-isakmp
set peer 213.25.27.2
set transform-set 3des
match address 120
Then you need to apply the crypto map on the WAN interface. But pretty much, for the
VPN part, the above is all you need.
2) So when the VPN Client user gets connected to the HQ, you want the users on the HQ to be able to connect back to the VPN Client user and access the resources on the VPN Client user's PC. Correct? What particular resources do you want to access aside from printers (e.g shared folders, RDP, etc)