Solved

Cisco PIX VPN\IPSEC Tunnel ?

Posted on 2006-06-12
15
1,285 Views
Last Modified: 2010-08-05
I am having a hard time getting these 2 pix units to tunnel.  I have racked my head and can't figure it out any help would be great.

Here are the 2 Configs

Division PIX

: Written by enable_15 at 00:19:54.785 UTC Sat Jun 10 2006
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside1 security4
enable password IrCeK8fT0qca/Vry encrypted
passwd AOy7VwYFtREuO1jy encrypted
hostname Division
domain-name granitewave.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside_in permit ip any host X.X.X.36
access-list outside_in permit ip any host X.X.X.37
access-list outside_in permit ip any host X.X.X.38
access-list outside_in permit icmp any any
access-list ToToniTwr permit ip 10.10.0.0 255.255.0.0 10.10.2.0 255.255.255.0
access-list ToToniTwr permit ip 10.10.0.0 255.255.0.0 10.10.0.0 255.255.0.0
access-list ToToniTwr permit ip 10.10.1.0 255.255.255.0 10.10.2.0 255.255.255.0
access-list SplitTunnel permit ip 10.10.0.0 255.255.0.0 10.10.0.0 255.255.0.0
access-list SplitTunnel permit ip 10.10.1.0 255.255.255.0 10.10.2.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside1 1500
ip address outside X.X.X.9 255.255.255.0
ip address inside1 10.10.1.1 255.255.0.0
multicast interface inside1
ip audit info action alarm
ip audit attack action alarm
ip local pool gw 10.4.0.1-10.4.0.254
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside1) 0 access-list SplitTunnel
nat (inside1) 1 access-list SplitTunnel 0 0
nat (inside1) 1 0.0.0.0 0.0.0.0 0 0
static (inside1,outside) X.X.X.36 10.10.1.36 netmask 255.255.255.255 0 0
static (inside1,outside) X.X.X.37 10.10.1.37 netmask 255.255.255.255 0 0
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 X.X.X.250 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set kraset esp-3des esp-md5-hmac
crypto dynamic-map kra-dyn-map 10 set transform-set kraset
crypto map kra-map 20 ipsec-isakmp
crypto map kra-map 20 match address ToToniTwr
crypto map kra-map 20 set peer X.X.X.10
crypto map kra-map 20 set transform-set kraset
crypto map kra-map interface outside
isakmp enable outside
isakmp key ******** address X.X.X.10 netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp keepalive 10 5
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 1
isakmp policy 20 lifetime 1000
isakmp policy 90 authentication pre-share
isakmp policy 90 encryption 3des
isakmp policy 90 hash sha
isakmp policy 90 group 2
isakmp policy 90 lifetime 1000
vpngroup neavpn address-pool GW
vpngroup neavpn split-tunnel SplitTunnel
vpngroup neavpn idle-time 1800
vpngroup neavpn password ********
vpngroup cci address-pool GW
vpngroup cci split-tunnel SplitTunnel
vpngroup cci idle-time 1800
vpngroup cci password ********
telnet X.X.X.9 255.255.255.255 outside
telnet 10.10.0.0 255.255.0.0 inside1
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 10.10.1.10-10.10.1.254 inside1
dhcpd dns X.X.X.1 X.X.X.2
dhcpd lease 9000
dhcpd ping_timeout 750
dhcpd domain granitewave.com
dhcpd enable inside1
terminal width 80
Cryptochecksum:26a3ae0232174511c052c7b1471f6152
Division#



PIX 2
Toni Twr PIX



PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside1 security7
enable password IrCeK8fT0qca/Vry encrypted
passwd AOy7VwYFtREuO1jy encrypted
hostname ToniTwr
domain-name granitewave.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside_in permit ip any host X.X.X.38
access-list outside_in permit icmp any any
access-list outside_in permit ip any host X.X.X.5
access-list outside_in permit tcp any host X.X.X.5 eq www
access-list ToShawano permit ip 10.10.0.0 255.255.0.0 10.10.0.0 255.255.0.0
access-list ToShawano permit ip 10.10.2.0 255.255.255.0 10.10.0.0 255.255.0.0
access-list ToShawano permit ip 10.10.2.0 255.255.255.0 10.10.1.0 255.255.255.0
access-list SplitTunnel permit ip 10.10.0.0 255.255.0.0 10.10.0.0 255.255.0.0
access-list SplitTunnel permit ip 10.10.2.0 255.255.255.0 10.10.0.0 255.255.0.0
access-list SplitTunnel permit ip 10.10.2.0 255.255.255.0 10.10.1.0 255.255.255.
0
pager lines 24
mtu outside 1500
mtu inside1 1500
ip address outside X.X.X.10 255.255.255.0
ip address inside1 10.10.2.1 255.255.0.0
multicast interface inside1
ip audit info action alarm
ip audit attack action alarm
ip local pool GW 10.3.4.1-10.3.4.254
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside1) 0 access-list SplitTunnel
nat (inside1) 1 access-list SplitTunnel 0 0
nat (inside1) 1 0.0.0.0 0.0.0.0 0 0
static (inside1,outside) X.X.X.38 10.10.2.38 netmask 255.255.255.255 0 0
static (inside1,outside) X.X.X.5 10.10.2.5 netmask 255.255.255.255 0 0
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 X.X.X.250 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set kraset esp-3des esp-md5-hmac
crypto dynamic-map kra-map 10 set transform-set kraset
crypto map kra-map 20 ipsec-isakmp
crypto map kra-map 20 match address ToShawano
crypto map kra-map 20 set peer X.X.X.9
crypto map kra-map 20 set transform-set kraset
crypto map kra-map 30 ipsec-isakmp dynamic kra-map
crypto map kra-map interface outside
isakmp enable outside
isakmp key ******** address X.X.X.9 netmask 255.255.255.255 no-xauth no-con
fig-mode
isakmp identity address
isakmp keepalive 10 5
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 1
isakmp policy 20 lifetime 1000
isakmp policy 90 authentication pre-share
isakmp policy 90 encryption 3des
isakmp policy 90 hash md5
isakmp policy 90 group 2
isakmp policy 90 lifetime 1000
vpngroup neavpn address-pool GW
vpngroup neavpn split-tunnel SplitTunnel
vpngroup neavpn idle-time 1800
vpngroup neavpn password ********
vpngroup cci address-pool GW
vpngroup cci split-tunnel SplitTunnel
vpngroup cci idle-time 1800
vpngroup cci password ********
telnet 10.10.0.0 255.255.0.0 inside1
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 10
console timeout 0
dhcpd address 10.10.2.40-10.10.2.254 inside1
dhcpd dns X.X.X.1 X.X.X.2
dhcpd lease 9000
dhcpd ping_timeout 750
dhcpd domain granitewave.com
dhcpd enable inside1
terminal width 80
Cryptochecksum:4b86a58e9870126a296576ed23571074
0
Comment
Question by:tolsonkra
  • 7
  • 6
  • 2
15 Comments
 
LVL 10

Expert Comment

by:Sorenson
ID: 16889074
please post the following, from both sides if possible.

Show cry isa sa

Show cry ipsec sa

Thanks!
0
 
LVL 10

Expert Comment

by:Sorenson
ID: 16889132
on both, remove nat (inside1) 1 access-list SplitTunnel
it is not needed.

the pix are both have the same internal subnet  10.10.x.x / 255.255.0.0  this simply wont work without some fancy nat trans in between.

Is this a misconfig on the pix, should the inside interfaces be masked at 255.255.255.0 instead so that they are 10.10.1.x and 10.10.2.x ?

If that is the issue, then the splittunnel ACL will need to be cleaned up as well.
for the Division pix:
no access-list splittunnel
access-list splittunnel permit ip 10.10.1.0 255.255.255.0 10.10.2.0 255.255.255.0   **(for point to point)
access-list splittunnel permit ip 10.10.1.0 255.255.255.0 10.4.0.0 255.255.255.0    **(for client vpn)

and on twr pix
no access-list splittunnel
access-list splittunnel permit ip 10.10.2.0 255.255.255.0 10.10.1.0 255.255.255.0 **(for point to point)
access-list splittunnel permit ip 10.10.2.0 255.255.255.0 10.3.4.0 255.255.255.0  **(for client vpn)

hope that helps.

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 16889735
Sorenson - welcome back! Looks like it's been a long time. Good to see you around here, glad to have you back on the team..

tolsonkra - It won't work because both inside LAN subnets are in the same mask:
Site A
ip address inside1 10.10.1.1 255.255.0.0
Site B
ip address inside1 10.10.2.1 255.255.0.0

Both LAN's are in the same 10.10.0.0/16 network. A tunnel will never happen.
You need to change one side to something like 10.11.2.x/16
0
 
LVL 3

Author Comment

by:tolsonkra
ID: 16889852
What if I changed one to

10.10.1.0 255.255.0.0 subnet
and on to
10.10.2.0 255.255.255.0 subnet?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 16889936
10.10.2.0, even with a /24 mask is still part of the 10.10.0.0 /16 subnet of the first site.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 16889996
You can change the mask at both ends to 255.255.255.0
Since your DHCP range only includes that mask, then it would be a safe/easy thing to do.

Then all of your access-lists can make sense:

Division:
no nat (inside1) 0 access-list SplitTunnel
no nat (inside1) 1 access-list SplitTunnel 0 0
access-list division_to_TnyTwr permit ip 10.10.1.0 255.255.255.0 10.10.2.0 255.255.255.0
access-list no_nat permit ip 10.10.1.0 255.255.255.0 10.10.2.0 255.255.255.0
nat (inside) 0 access-list no_nat
crypto map kra-map 20 match address division_to_TnyTwr
crypto map kra-map interface outside  <== always re-apply the map after making changes

ToniTwr:
no nat (inside1) 0 access-list SplitTunnel
no nat (inside1) 1 access-list SplitTunnel 0 0
access-list TnyTwr_to_division permit ip 10.10.2.0 255.255.255.0 10.10.1.0 255.255.255.0
access-list no_nat permit ip 10.10.2.0 255.255.255.0 10.10.1.0 255.255.255.0
nat (inside) 0 access-list no_nat
no crypto map kra-map 20 match address ToShawano
crypto map kra-map 20 match address TnyTwr_to_division
crypto map kra-map interface outside

NOTE: It does not make any difference what you call the acls, I just juggled them up a bit to be different from what you have to avoid confusion...

Looking a little closer:
>route outside 0.0.0.0 0.0.0.0 X.X.X.250 1
>route outside 0.0.0.0 0.0.0.0 X.X.X.250 1
They BOTH have the same default gateway . . . are you doing this in a LAB?

 
0
 
LVL 3

Author Comment

by:tolsonkra
ID: 16890298
It is the same ISP just different bldgs
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 
LVL 79

Expert Comment

by:lrmoore
ID: 16890740
OK, then all above still applies.
0
 
LVL 3

Author Comment

by:tolsonkra
ID: 16894626
Do I need to change anything on these

vpngroup neavpn address-pool GW
vpngroup neavpn split-tunnel SplitTunnel
vpngroup neavpn idle-time 1800
vpngroup neavpn password ********
vpngroup cci address-pool GW
vpngroup cci split-tunnel SplitTunnel
vpngroup cci idle-time 1800
vpngroup cci password ********
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 16895121
the SplitTunnel acl for the VPn client should be in this format:

access-list SplitTunnel permit ip <local lan> <mask> <vpn client pool> <mask>

i.e.
ip address inside1 10.10.2.1 255.255.0.0
ip local pool GW 10.3.4.1-10.3.4.254
\\-- Delete existing acl and start over:
no access-list SplitTunnel
access-list SplitTunnel permit ip 10.10.2.0 255.255.255.0 10.3.4.0 255.255.255.0
\\-- Now you have to re-apply the split-tunnel to the vpngroups
vpngroup neavpn split-tunnel SplitTunnel
vpngroup cci split-tunnel SplitTunnel



0
 
LVL 3

Author Comment

by:tolsonkra
ID: 16897640
Alright what the heck did I do wrong.  I can get from the 10.10.1.0 network to some of 10.10.2.0 network but not all.

I can get from 10.10.2.0 network to 10.10.1.0 network but not all

I have some web based apps on both network that are from the 2-10 ips that I need cross access to but not to give real IPs.

here are the configs

PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside1 security7
enable password IrCeK8fT0qca/Vry encrypted
passwd AOy7VwYFtREuO1jy encrypted
hostname ToniTwr
domain-name granitewave.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside_in permit ip any host X.X.105.38
access-list outside_in permit icmp any any
access-list outside_in permit ip any host X.X.105.5
access-list outside_in permit tcp any host X.X.105.5 eq www
access-list outside_in permit tcp any host X.X.105.5 eq 3389
access-list TnyTwr_to_division permit ip 10.10.2.0 255.255.255.0 10.10.1.0 255.2
55.255.0
access-list no_nat permit ip 10.10.2.0 255.255.255.0 10.10.1.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside1 1500
ip address outside X.X.105.10 255.255.255.0
ip address inside1 10.10.2.1 255.255.255.0
multicast interface inside1
ip audit info action alarm
ip audit attack action alarm
ip local pool GW 10.10.3.1-10.10.3.254
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside1) 0 access-list no_nat
nat (inside1) 1 0.0.0.0 0.0.0.0 0 0
static (inside1,outside) X.X.105.38 10.10.2.38 netmask 255.255.255.255 0 0
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 X.X.105.250 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set kraset esp-3des esp-md5-hmac
crypto dynamic-map kra-map 10 set transform-set kraset
crypto map kra-map 20 ipsec-isakmp
crypto map kra-map 20 match address TnyTwr_to_division
crypto map kra-map 20 set peer X.X.105.9
crypto map kra-map 20 set transform-set kraset
crypto map kra-map 30 ipsec-isakmp dynamic kra-map
crypto map kra-map interface outside
isakmp enable outside
isakmp key ******** address X.X.105.9 netmask 255.255.255.255 no-xauth no-con
fig-mode
isakmp identity address
isakmp keepalive 10 5
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 1
isakmp policy 20 lifetime 1000
isakmp policy 90 authentication pre-share
isakmp policy 90 encryption 3des
isakmp policy 90 hash md5
isakmp policy 90 group 2
isakmp policy 90 lifetime 1000
vpngroup neavpn address-pool GW
vpngroup neavpn idle-time 1800
vpngroup neavpn password ********
vpngroup cci address-pool GW
vpngroup cci idle-time 1800
vpngroup cci password ********
telnet 10.10.0.0 255.255.0.0 inside1
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 10
console timeout 0
dhcpd address 10.10.2.40-10.10.2.254 inside1
dhcpd dns X.X.105.1 X.X.105.2
dhcpd lease 9000
dhcpd ping_timeout 750
dhcpd domain granitewave.com
dhcpd enable inside1
terminal width 80


2nd PIX

PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside1 security4
enable password IrCeK8fT0qca/Vry encrypted
passwd AOy7VwYFtREuO1jy encrypted
hostname Division
domain-name granitewave.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside_in permit ip any host X.X.105.36
access-list outside_in permit ip any host X.X.105.37
access-list outside_in permit ip any host X.X.105.38
access-list outside_in permit icmp any any
access-list division_to_TnyTwr permit ip 10.10.1.0 255.255.255.0 10.10.2.0 255.2
55.255.0
access-list no_nat permit ip 10.10.1.0 255.255.255.0 10.10.2.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside1 1500
ip address outside X.X.105.9 255.255.255.0
ip address inside1 10.10.1.1 255.255.255.0
multicast interface inside1
ip audit info action alarm
ip audit attack action alarm
ip local pool GW 10.10.4.1-10.10.4.254
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside1) 0 access-list no_nat
nat (inside1) 1 0.0.0.0 0.0.0.0 0 0
static (inside1,outside) X.X.105.36 10.10.1.36 netmask 255.255.255.255 0 0
static (inside1,outside) X.X.105.37 10.10.1.37 netmask 255.255.255.255 0 0
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 X.X.105.250 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set kraset esp-3des esp-md5-hmac
crypto dynamic-map kra-dyn-map 10 set transform-set kraset
crypto map kra-map 20 ipsec-isakmp
crypto map kra-map 20 match address division_to_TnyTwr
crypto map kra-map 20 set peer X.X.105.10
crypto map kra-map 20 set transform-set kraset
crypto map kra-map interface outside
isakmp enable outside
isakmp key ******** address X.X.105.10 netmask 255.255.255.255 no-xauth no-co
nfig-mode
isakmp identity address
isakmp keepalive 10 5
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 1
isakmp policy 20 lifetime 1000
isakmp policy 90 authentication pre-share
isakmp policy 90 encryption 3des
isakmp policy 90 hash sha
isakmp policy 90 group 2
isakmp policy 90 lifetime 1000
vpngroup neavpn address-pool GW
vpngroup neavpn split-tunnel SplitTunnel
vpngroup neavpn idle-time 1800
vpngroup neavpn password ********
vpngroup cci address-pool GW
vpngroup cci split-tunnel SplitTunnel
vpngroup cci idle-time 1800
vpngroup cci password ********
telnet X.X.105.9 255.255.255.255 outside
telnet 10.10.0.0 255.255.0.0 inside1
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 10.10.1.50-10.10.1.254 inside1
dhcpd dns X.X.105.1 X.X.105.2
dhcpd lease 9000
dhcpd ping_timeout 750
dhcpd domain granitewave.com
dhcpd enable inside1
terminal width 80
Cryptochecksum:1a6a24cceb5af60191d547d9748ccdc7
Division(config)# access-list SplitTunnel permit ip 10.10.1.0 255.255.255.0 10$
Division(config)# vpngroup neavpn split-tunnel SplitTunnel
Division(config)# vpngroup cci split-tunnel SplitTunnel
Division(config)# wr mem
Building configuration...
Cryptochecksum: 73cc69ac c8113215 4a6e3e16 9f3ae7f0
[OK]
Division(config)# ip address inside 10.10.1.1 255.255.255.0
Division(config)# wr mem
Building configuration...
Cryptochecksum: 73cc69ac c8113215 4a6e3e16 9f3ae7f0
[OK]
Division(config)# sho conf
: Saved
: Written by enable_15 at 19:57:30.400 UTC Tue Jun 13 2006
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside1 security4
enable password IrCeK8fT0qca/Vry encrypted
passwd AOy7VwYFtREuO1jy encrypted
hostname Division
domain-name granitewave.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside_in permit ip any host X.X.105.36
access-list outside_in permit ip any host X.X.105.37
access-list outside_in permit ip any host X.X.105.38
access-list outside_in permit icmp any any
access-list division_to_TnyTwr permit ip 10.10.1.0 255.255.255.0 10.10.2.0 255.2
55.255.0
access-list SplitTunnel permit ip 10.10.1.0 255.255.255.0 10.10.4.0 255.255.255.
0
access-list no_nat permit ip 10.10.1.0 255.255.255.0 10.10.2.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside1 1500
ip address outside X.X.105.9 255.255.255.0
ip address inside1 10.10.1.1 255.255.255.0
multicast interface inside1
ip audit info action alarm
ip audit attack action alarm
ip local pool GW 10.10.4.1-10.10.4.254
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside1) 0 access-list no_nat
nat (inside1) 1 0.0.0.0 0.0.0.0 0 0
static (inside1,outside) X.X.105.36 10.10.1.36 netmask 255.255.255.255 0 0
static (inside1,outside) X.X.105.37 10.10.1.37 netmask 255.255.255.255 0 0
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 X.X.105.250 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set kraset esp-3des esp-md5-hmac
crypto dynamic-map kra-dyn-map 10 set transform-set kraset
crypto map kra-map 20 ipsec-isakmp
crypto map kra-map 20 match address division_to_TnyTwr
crypto map kra-map 20 set peer X.X.105.10
crypto map kra-map 20 set transform-set kraset
crypto map kra-map interface outside
isakmp enable outside
isakmp key ******** address X.X.105.10 netmask 255.255.255.255 no-xauth no-co
nfig-mode
isakmp identity address
isakmp keepalive 10 5
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 1
isakmp policy 20 lifetime 1000
isakmp policy 90 authentication pre-share
isakmp policy 90 encryption 3des
isakmp policy 90 hash sha
isakmp policy 90 group 2
isakmp policy 90 lifetime 1000
vpngroup neavpn address-pool GW
vpngroup neavpn split-tunnel SplitTunnel
vpngroup neavpn idle-time 1800
vpngroup neavpn password ********
vpngroup cci address-pool GW
vpngroup cci split-tunnel SplitTunnel
vpngroup cci idle-time 1800
vpngroup cci password ********
telnet X.X.105.9 255.255.255.255 outside
telnet 10.10.0.0 255.255.0.0 inside1
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 10.10.1.50-10.10.1.254 inside1
dhcpd dns X.X.105.1 X.X.105.2
dhcpd lease 9000
dhcpd ping_timeout 750
dhcpd domain granitewave.com
dhcpd enable inside1
terminal width 80
Cryptochecksum:73cc69acc81132154a6e3e169f3ae7f0
Division(config)#
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 16897682
Compare the default gateway settings and subnet masks on the hosts that you can and cannot get to.
Host Default gateway should point to the PIX' inside IP
Host Subnet mask must be 255.255.255.0

On Division, add this line for the VPN users:
  access-list no_nat permit ip 10.10.1.0 255.255.255.0 10.10.4.0 255.255.255.0

On the other one, add this line
   access-list no_nat permit ip 10.10.2.0 255.255.255.0 10.10.4.0 255.255.255.0
 
0
 
LVL 3

Author Comment

by:tolsonkra
ID: 16898368
What if I don't want to have the VPN clients access it but just use the ipsec tunnel from PIX to PIX to allow http access

for instance just a normal pc on the net no VPN Client on 10.10.1.1 wants to get to an http site on 10.10.10.2.1 network do i need an access list?

thanks for all the help.

Almost there.  All pix's are talking now.

This network was setup before i got here and couldn't change IP Subnets or I could of gotten done myself.  


0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 16898654
>a normal pc on the net no VPN Client on 10.10.1.1 wants to get to an http site on 10.10.10.2.1 network do i need an access list?
No. Any host on either side of the tunnel has full access to the other network. That is the primary purpose of a site-site VPN tunnel.

0
 
LVL 3

Author Comment

by:tolsonkra
ID: 16903930
Thanks.  They had to change the Subnet mask and then all was fine.  Thanks for all the help
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Configuring network clients can be a chore, especially if there are a large number of them or a lot of itinerant users.  DHCP dynamically manages this process, much to the relief of users and administrators alike!
Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now