tolsonkra
asked on
Cisco PIX VPN\IPSEC Tunnel ?
I am having a hard time getting these 2 pix units to tunnel. I have racked my head and can't figure it out any help would be great.
Here are the 2 Configs
Division PIX
: Written by enable_15 at 00:19:54.785 UTC Sat Jun 10 2006
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside1 security4
enable password IrCeK8fT0qca/Vry encrypted
passwd AOy7VwYFtREuO1jy encrypted
hostname Division
domain-name granitewave.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside_in permit ip any host X.X.X.36
access-list outside_in permit ip any host X.X.X.37
access-list outside_in permit ip any host X.X.X.38
access-list outside_in permit icmp any any
access-list ToToniTwr permit ip 10.10.0.0 255.255.0.0 10.10.2.0 255.255.255.0
access-list ToToniTwr permit ip 10.10.0.0 255.255.0.0 10.10.0.0 255.255.0.0
access-list ToToniTwr permit ip 10.10.1.0 255.255.255.0 10.10.2.0 255.255.255.0
access-list SplitTunnel permit ip 10.10.0.0 255.255.0.0 10.10.0.0 255.255.0.0
access-list SplitTunnel permit ip 10.10.1.0 255.255.255.0 10.10.2.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside1 1500
ip address outside X.X.X.9 255.255.255.0
ip address inside1 10.10.1.1 255.255.0.0
multicast interface inside1
ip audit info action alarm
ip audit attack action alarm
ip local pool gw 10.4.0.1-10.4.0.254
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside1) 0 access-list SplitTunnel
nat (inside1) 1 access-list SplitTunnel 0 0
nat (inside1) 1 0.0.0.0 0.0.0.0 0 0
static (inside1,outside) X.X.X.36 10.10.1.36 netmask 255.255.255.255 0 0
static (inside1,outside) X.X.X.37 10.10.1.37 netmask 255.255.255.255 0 0
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 X.X.X.250 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set kraset esp-3des esp-md5-hmac
crypto dynamic-map kra-dyn-map 10 set transform-set kraset
crypto map kra-map 20 ipsec-isakmp
crypto map kra-map 20 match address ToToniTwr
crypto map kra-map 20 set peer X.X.X.10
crypto map kra-map 20 set transform-set kraset
crypto map kra-map interface outside
isakmp enable outside
isakmp key ******** address X.X.X.10 netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp keepalive 10 5
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 1
isakmp policy 20 lifetime 1000
isakmp policy 90 authentication pre-share
isakmp policy 90 encryption 3des
isakmp policy 90 hash sha
isakmp policy 90 group 2
isakmp policy 90 lifetime 1000
vpngroup neavpn address-pool GW
vpngroup neavpn split-tunnel SplitTunnel
vpngroup neavpn idle-time 1800
vpngroup neavpn password ********
vpngroup cci address-pool GW
vpngroup cci split-tunnel SplitTunnel
vpngroup cci idle-time 1800
vpngroup cci password ********
telnet X.X.X.9 255.255.255.255 outside
telnet 10.10.0.0 255.255.0.0 inside1
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 10.10.1.10-10.10.1.254 inside1
dhcpd dns X.X.X.1 X.X.X.2
dhcpd lease 9000
dhcpd ping_timeout 750
dhcpd domain granitewave.com
dhcpd enable inside1
terminal width 80
Cryptochecksum:26a3ae02321
Division#
PIX 2
Toni Twr PIX
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside1 security7
enable password IrCeK8fT0qca/Vry encrypted
passwd AOy7VwYFtREuO1jy encrypted
hostname ToniTwr
domain-name granitewave.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside_in permit ip any host X.X.X.38
access-list outside_in permit icmp any any
access-list outside_in permit ip any host X.X.X.5
access-list outside_in permit tcp any host X.X.X.5 eq www
access-list ToShawano permit ip 10.10.0.0 255.255.0.0 10.10.0.0 255.255.0.0
access-list ToShawano permit ip 10.10.2.0 255.255.255.0 10.10.0.0 255.255.0.0
access-list ToShawano permit ip 10.10.2.0 255.255.255.0 10.10.1.0 255.255.255.0
access-list SplitTunnel permit ip 10.10.0.0 255.255.0.0 10.10.0.0 255.255.0.0
access-list SplitTunnel permit ip 10.10.2.0 255.255.255.0 10.10.0.0 255.255.0.0
access-list SplitTunnel permit ip 10.10.2.0 255.255.255.0 10.10.1.0 255.255.255.
0
pager lines 24
mtu outside 1500
mtu inside1 1500
ip address outside X.X.X.10 255.255.255.0
ip address inside1 10.10.2.1 255.255.0.0
multicast interface inside1
ip audit info action alarm
ip audit attack action alarm
ip local pool GW 10.3.4.1-10.3.4.254
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside1) 0 access-list SplitTunnel
nat (inside1) 1 access-list SplitTunnel 0 0
nat (inside1) 1 0.0.0.0 0.0.0.0 0 0
static (inside1,outside) X.X.X.38 10.10.2.38 netmask 255.255.255.255 0 0
static (inside1,outside) X.X.X.5 10.10.2.5 netmask 255.255.255.255 0 0
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 X.X.X.250 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set kraset esp-3des esp-md5-hmac
crypto dynamic-map kra-map 10 set transform-set kraset
crypto map kra-map 20 ipsec-isakmp
crypto map kra-map 20 match address ToShawano
crypto map kra-map 20 set peer X.X.X.9
crypto map kra-map 20 set transform-set kraset
crypto map kra-map 30 ipsec-isakmp dynamic kra-map
crypto map kra-map interface outside
isakmp enable outside
isakmp key ******** address X.X.X.9 netmask 255.255.255.255 no-xauth no-con
fig-mode
isakmp identity address
isakmp keepalive 10 5
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 1
isakmp policy 20 lifetime 1000
isakmp policy 90 authentication pre-share
isakmp policy 90 encryption 3des
isakmp policy 90 hash md5
isakmp policy 90 group 2
isakmp policy 90 lifetime 1000
vpngroup neavpn address-pool GW
vpngroup neavpn split-tunnel SplitTunnel
vpngroup neavpn idle-time 1800
vpngroup neavpn password ********
vpngroup cci address-pool GW
vpngroup cci split-tunnel SplitTunnel
vpngroup cci idle-time 1800
vpngroup cci password ********
telnet 10.10.0.0 255.255.0.0 inside1
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 10
console timeout 0
dhcpd address 10.10.2.40-10.10.2.254 inside1
dhcpd dns X.X.X.1 X.X.X.2
dhcpd lease 9000
dhcpd ping_timeout 750
dhcpd domain granitewave.com
dhcpd enable inside1
terminal width 80
Cryptochecksum:4b86a58e987
Here are the 2 Configs
Division PIX
: Written by enable_15 at 00:19:54.785 UTC Sat Jun 10 2006
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside1 security4
enable password IrCeK8fT0qca/Vry encrypted
passwd AOy7VwYFtREuO1jy encrypted
hostname Division
domain-name granitewave.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside_in permit ip any host X.X.X.36
access-list outside_in permit ip any host X.X.X.37
access-list outside_in permit ip any host X.X.X.38
access-list outside_in permit icmp any any
access-list ToToniTwr permit ip 10.10.0.0 255.255.0.0 10.10.2.0 255.255.255.0
access-list ToToniTwr permit ip 10.10.0.0 255.255.0.0 10.10.0.0 255.255.0.0
access-list ToToniTwr permit ip 10.10.1.0 255.255.255.0 10.10.2.0 255.255.255.0
access-list SplitTunnel permit ip 10.10.0.0 255.255.0.0 10.10.0.0 255.255.0.0
access-list SplitTunnel permit ip 10.10.1.0 255.255.255.0 10.10.2.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside1 1500
ip address outside X.X.X.9 255.255.255.0
ip address inside1 10.10.1.1 255.255.0.0
multicast interface inside1
ip audit info action alarm
ip audit attack action alarm
ip local pool gw 10.4.0.1-10.4.0.254
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside1) 0 access-list SplitTunnel
nat (inside1) 1 access-list SplitTunnel 0 0
nat (inside1) 1 0.0.0.0 0.0.0.0 0 0
static (inside1,outside) X.X.X.36 10.10.1.36 netmask 255.255.255.255 0 0
static (inside1,outside) X.X.X.37 10.10.1.37 netmask 255.255.255.255 0 0
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 X.X.X.250 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set kraset esp-3des esp-md5-hmac
crypto dynamic-map kra-dyn-map 10 set transform-set kraset
crypto map kra-map 20 ipsec-isakmp
crypto map kra-map 20 match address ToToniTwr
crypto map kra-map 20 set peer X.X.X.10
crypto map kra-map 20 set transform-set kraset
crypto map kra-map interface outside
isakmp enable outside
isakmp key ******** address X.X.X.10 netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp keepalive 10 5
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 1
isakmp policy 20 lifetime 1000
isakmp policy 90 authentication pre-share
isakmp policy 90 encryption 3des
isakmp policy 90 hash sha
isakmp policy 90 group 2
isakmp policy 90 lifetime 1000
vpngroup neavpn address-pool GW
vpngroup neavpn split-tunnel SplitTunnel
vpngroup neavpn idle-time 1800
vpngroup neavpn password ********
vpngroup cci address-pool GW
vpngroup cci split-tunnel SplitTunnel
vpngroup cci idle-time 1800
vpngroup cci password ********
telnet X.X.X.9 255.255.255.255 outside
telnet 10.10.0.0 255.255.0.0 inside1
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 10.10.1.10-10.10.1.254 inside1
dhcpd dns X.X.X.1 X.X.X.2
dhcpd lease 9000
dhcpd ping_timeout 750
dhcpd domain granitewave.com
dhcpd enable inside1
terminal width 80
Cryptochecksum:26a3ae02321
Division#
PIX 2
Toni Twr PIX
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside1 security7
enable password IrCeK8fT0qca/Vry encrypted
passwd AOy7VwYFtREuO1jy encrypted
hostname ToniTwr
domain-name granitewave.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside_in permit ip any host X.X.X.38
access-list outside_in permit icmp any any
access-list outside_in permit ip any host X.X.X.5
access-list outside_in permit tcp any host X.X.X.5 eq www
access-list ToShawano permit ip 10.10.0.0 255.255.0.0 10.10.0.0 255.255.0.0
access-list ToShawano permit ip 10.10.2.0 255.255.255.0 10.10.0.0 255.255.0.0
access-list ToShawano permit ip 10.10.2.0 255.255.255.0 10.10.1.0 255.255.255.0
access-list SplitTunnel permit ip 10.10.0.0 255.255.0.0 10.10.0.0 255.255.0.0
access-list SplitTunnel permit ip 10.10.2.0 255.255.255.0 10.10.0.0 255.255.0.0
access-list SplitTunnel permit ip 10.10.2.0 255.255.255.0 10.10.1.0 255.255.255.
0
pager lines 24
mtu outside 1500
mtu inside1 1500
ip address outside X.X.X.10 255.255.255.0
ip address inside1 10.10.2.1 255.255.0.0
multicast interface inside1
ip audit info action alarm
ip audit attack action alarm
ip local pool GW 10.3.4.1-10.3.4.254
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside1) 0 access-list SplitTunnel
nat (inside1) 1 access-list SplitTunnel 0 0
nat (inside1) 1 0.0.0.0 0.0.0.0 0 0
static (inside1,outside) X.X.X.38 10.10.2.38 netmask 255.255.255.255 0 0
static (inside1,outside) X.X.X.5 10.10.2.5 netmask 255.255.255.255 0 0
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 X.X.X.250 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set kraset esp-3des esp-md5-hmac
crypto dynamic-map kra-map 10 set transform-set kraset
crypto map kra-map 20 ipsec-isakmp
crypto map kra-map 20 match address ToShawano
crypto map kra-map 20 set peer X.X.X.9
crypto map kra-map 20 set transform-set kraset
crypto map kra-map 30 ipsec-isakmp dynamic kra-map
crypto map kra-map interface outside
isakmp enable outside
isakmp key ******** address X.X.X.9 netmask 255.255.255.255 no-xauth no-con
fig-mode
isakmp identity address
isakmp keepalive 10 5
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 1
isakmp policy 20 lifetime 1000
isakmp policy 90 authentication pre-share
isakmp policy 90 encryption 3des
isakmp policy 90 hash md5
isakmp policy 90 group 2
isakmp policy 90 lifetime 1000
vpngroup neavpn address-pool GW
vpngroup neavpn split-tunnel SplitTunnel
vpngroup neavpn idle-time 1800
vpngroup neavpn password ********
vpngroup cci address-pool GW
vpngroup cci split-tunnel SplitTunnel
vpngroup cci idle-time 1800
vpngroup cci password ********
telnet 10.10.0.0 255.255.0.0 inside1
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 10
console timeout 0
dhcpd address 10.10.2.40-10.10.2.254 inside1
dhcpd dns X.X.X.1 X.X.X.2
dhcpd lease 9000
dhcpd ping_timeout 750
dhcpd domain granitewave.com
dhcpd enable inside1
terminal width 80
Cryptochecksum:4b86a58e987
on both, remove nat (inside1) 1 access-list SplitTunnel
it is not needed.
the pix are both have the same internal subnet 10.10.x.x / 255.255.0.0 this simply wont work without some fancy nat trans in between.
Is this a misconfig on the pix, should the inside interfaces be masked at 255.255.255.0 instead so that they are 10.10.1.x and 10.10.2.x ?
If that is the issue, then the splittunnel ACL will need to be cleaned up as well.
for the Division pix:
no access-list splittunnel
access-list splittunnel permit ip 10.10.1.0 255.255.255.0 10.10.2.0 255.255.255.0 **(for point to point)
access-list splittunnel permit ip 10.10.1.0 255.255.255.0 10.4.0.0 255.255.255.0 **(for client vpn)
and on twr pix
no access-list splittunnel
access-list splittunnel permit ip 10.10.2.0 255.255.255.0 10.10.1.0 255.255.255.0 **(for point to point)
access-list splittunnel permit ip 10.10.2.0 255.255.255.0 10.3.4.0 255.255.255.0 **(for client vpn)
hope that helps.
it is not needed.
the pix are both have the same internal subnet 10.10.x.x / 255.255.0.0 this simply wont work without some fancy nat trans in between.
Is this a misconfig on the pix, should the inside interfaces be masked at 255.255.255.0 instead so that they are 10.10.1.x and 10.10.2.x ?
If that is the issue, then the splittunnel ACL will need to be cleaned up as well.
for the Division pix:
no access-list splittunnel
access-list splittunnel permit ip 10.10.1.0 255.255.255.0 10.10.2.0 255.255.255.0 **(for point to point)
access-list splittunnel permit ip 10.10.1.0 255.255.255.0 10.4.0.0 255.255.255.0 **(for client vpn)
and on twr pix
no access-list splittunnel
access-list splittunnel permit ip 10.10.2.0 255.255.255.0 10.10.1.0 255.255.255.0 **(for point to point)
access-list splittunnel permit ip 10.10.2.0 255.255.255.0 10.3.4.0 255.255.255.0 **(for client vpn)
hope that helps.
Sorenson - welcome back! Looks like it's been a long time. Good to see you around here, glad to have you back on the team..
tolsonkra - It won't work because both inside LAN subnets are in the same mask:
Site A
ip address inside1 10.10.1.1 255.255.0.0
Site B
ip address inside1 10.10.2.1 255.255.0.0
Both LAN's are in the same 10.10.0.0/16 network. A tunnel will never happen.
You need to change one side to something like 10.11.2.x/16
tolsonkra - It won't work because both inside LAN subnets are in the same mask:
Site A
ip address inside1 10.10.1.1 255.255.0.0
Site B
ip address inside1 10.10.2.1 255.255.0.0
Both LAN's are in the same 10.10.0.0/16 network. A tunnel will never happen.
You need to change one side to something like 10.11.2.x/16
ASKER
What if I changed one to
10.10.1.0 255.255.0.0 subnet
and on to
10.10.2.0 255.255.255.0 subnet?
10.10.1.0 255.255.0.0 subnet
and on to
10.10.2.0 255.255.255.0 subnet?
10.10.2.0, even with a /24 mask is still part of the 10.10.0.0 /16 subnet of the first site.
You can change the mask at both ends to 255.255.255.0
Since your DHCP range only includes that mask, then it would be a safe/easy thing to do.
Then all of your access-lists can make sense:
Division:
no nat (inside1) 0 access-list SplitTunnel
no nat (inside1) 1 access-list SplitTunnel 0 0
access-list division_to_TnyTwr permit ip 10.10.1.0 255.255.255.0 10.10.2.0 255.255.255.0
access-list no_nat permit ip 10.10.1.0 255.255.255.0 10.10.2.0 255.255.255.0
nat (inside) 0 access-list no_nat
crypto map kra-map 20 match address division_to_TnyTwr
crypto map kra-map interface outside <== always re-apply the map after making changes
ToniTwr:
no nat (inside1) 0 access-list SplitTunnel
no nat (inside1) 1 access-list SplitTunnel 0 0
access-list TnyTwr_to_division permit ip 10.10.2.0 255.255.255.0 10.10.1.0 255.255.255.0
access-list no_nat permit ip 10.10.2.0 255.255.255.0 10.10.1.0 255.255.255.0
nat (inside) 0 access-list no_nat
no crypto map kra-map 20 match address ToShawano
crypto map kra-map 20 match address TnyTwr_to_division
crypto map kra-map interface outside
NOTE: It does not make any difference what you call the acls, I just juggled them up a bit to be different from what you have to avoid confusion...
Looking a little closer:
>route outside 0.0.0.0 0.0.0.0 X.X.X.250 1
>route outside 0.0.0.0 0.0.0.0 X.X.X.250 1
They BOTH have the same default gateway . . . are you doing this in a LAB?
Since your DHCP range only includes that mask, then it would be a safe/easy thing to do.
Then all of your access-lists can make sense:
Division:
no nat (inside1) 0 access-list SplitTunnel
no nat (inside1) 1 access-list SplitTunnel 0 0
access-list division_to_TnyTwr permit ip 10.10.1.0 255.255.255.0 10.10.2.0 255.255.255.0
access-list no_nat permit ip 10.10.1.0 255.255.255.0 10.10.2.0 255.255.255.0
nat (inside) 0 access-list no_nat
crypto map kra-map 20 match address division_to_TnyTwr
crypto map kra-map interface outside <== always re-apply the map after making changes
ToniTwr:
no nat (inside1) 0 access-list SplitTunnel
no nat (inside1) 1 access-list SplitTunnel 0 0
access-list TnyTwr_to_division permit ip 10.10.2.0 255.255.255.0 10.10.1.0 255.255.255.0
access-list no_nat permit ip 10.10.2.0 255.255.255.0 10.10.1.0 255.255.255.0
nat (inside) 0 access-list no_nat
no crypto map kra-map 20 match address ToShawano
crypto map kra-map 20 match address TnyTwr_to_division
crypto map kra-map interface outside
NOTE: It does not make any difference what you call the acls, I just juggled them up a bit to be different from what you have to avoid confusion...
Looking a little closer:
>route outside 0.0.0.0 0.0.0.0 X.X.X.250 1
>route outside 0.0.0.0 0.0.0.0 X.X.X.250 1
They BOTH have the same default gateway . . . are you doing this in a LAB?
ASKER
It is the same ISP just different bldgs
OK, then all above still applies.
ASKER
Do I need to change anything on these
vpngroup neavpn address-pool GW
vpngroup neavpn split-tunnel SplitTunnel
vpngroup neavpn idle-time 1800
vpngroup neavpn password ********
vpngroup cci address-pool GW
vpngroup cci split-tunnel SplitTunnel
vpngroup cci idle-time 1800
vpngroup cci password ********
vpngroup neavpn address-pool GW
vpngroup neavpn split-tunnel SplitTunnel
vpngroup neavpn idle-time 1800
vpngroup neavpn password ********
vpngroup cci address-pool GW
vpngroup cci split-tunnel SplitTunnel
vpngroup cci idle-time 1800
vpngroup cci password ********
the SplitTunnel acl for the VPn client should be in this format:
access-list SplitTunnel permit ip <local lan> <mask> <vpn client pool> <mask>
i.e.
ip address inside1 10.10.2.1 255.255.0.0
ip local pool GW 10.3.4.1-10.3.4.254
\\-- Delete existing acl and start over:
no access-list SplitTunnel
access-list SplitTunnel permit ip 10.10.2.0 255.255.255.0 10.3.4.0 255.255.255.0
\\-- Now you have to re-apply the split-tunnel to the vpngroups
vpngroup neavpn split-tunnel SplitTunnel
vpngroup cci split-tunnel SplitTunnel
access-list SplitTunnel permit ip <local lan> <mask> <vpn client pool> <mask>
i.e.
ip address inside1 10.10.2.1 255.255.0.0
ip local pool GW 10.3.4.1-10.3.4.254
\\-- Delete existing acl and start over:
no access-list SplitTunnel
access-list SplitTunnel permit ip 10.10.2.0 255.255.255.0 10.3.4.0 255.255.255.0
\\-- Now you have to re-apply the split-tunnel to the vpngroups
vpngroup neavpn split-tunnel SplitTunnel
vpngroup cci split-tunnel SplitTunnel
ASKER
Alright what the heck did I do wrong. I can get from the 10.10.1.0 network to some of 10.10.2.0 network but not all.
I can get from 10.10.2.0 network to 10.10.1.0 network but not all
I have some web based apps on both network that are from the 2-10 ips that I need cross access to but not to give real IPs.
here are the configs
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside1 security7
enable password IrCeK8fT0qca/Vry encrypted
passwd AOy7VwYFtREuO1jy encrypted
hostname ToniTwr
domain-name granitewave.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside_in permit ip any host X.X.105.38
access-list outside_in permit icmp any any
access-list outside_in permit ip any host X.X.105.5
access-list outside_in permit tcp any host X.X.105.5 eq www
access-list outside_in permit tcp any host X.X.105.5 eq 3389
access-list TnyTwr_to_division permit ip 10.10.2.0 255.255.255.0 10.10.1.0 255.2
55.255.0
access-list no_nat permit ip 10.10.2.0 255.255.255.0 10.10.1.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside1 1500
ip address outside X.X.105.10 255.255.255.0
ip address inside1 10.10.2.1 255.255.255.0
multicast interface inside1
ip audit info action alarm
ip audit attack action alarm
ip local pool GW 10.10.3.1-10.10.3.254
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside1) 0 access-list no_nat
nat (inside1) 1 0.0.0.0 0.0.0.0 0 0
static (inside1,outside) X.X.105.38 10.10.2.38 netmask 255.255.255.255 0 0
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 X.X.105.250 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set kraset esp-3des esp-md5-hmac
crypto dynamic-map kra-map 10 set transform-set kraset
crypto map kra-map 20 ipsec-isakmp
crypto map kra-map 20 match address TnyTwr_to_division
crypto map kra-map 20 set peer X.X.105.9
crypto map kra-map 20 set transform-set kraset
crypto map kra-map 30 ipsec-isakmp dynamic kra-map
crypto map kra-map interface outside
isakmp enable outside
isakmp key ******** address X.X.105.9 netmask 255.255.255.255 no-xauth no-con
fig-mode
isakmp identity address
isakmp keepalive 10 5
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 1
isakmp policy 20 lifetime 1000
isakmp policy 90 authentication pre-share
isakmp policy 90 encryption 3des
isakmp policy 90 hash md5
isakmp policy 90 group 2
isakmp policy 90 lifetime 1000
vpngroup neavpn address-pool GW
vpngroup neavpn idle-time 1800
vpngroup neavpn password ********
vpngroup cci address-pool GW
vpngroup cci idle-time 1800
vpngroup cci password ********
telnet 10.10.0.0 255.255.0.0 inside1
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 10
console timeout 0
dhcpd address 10.10.2.40-10.10.2.254 inside1
dhcpd dns X.X.105.1 X.X.105.2
dhcpd lease 9000
dhcpd ping_timeout 750
dhcpd domain granitewave.com
dhcpd enable inside1
terminal width 80
2nd PIX
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside1 security4
enable password IrCeK8fT0qca/Vry encrypted
passwd AOy7VwYFtREuO1jy encrypted
hostname Division
domain-name granitewave.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside_in permit ip any host X.X.105.36
access-list outside_in permit ip any host X.X.105.37
access-list outside_in permit ip any host X.X.105.38
access-list outside_in permit icmp any any
access-list division_to_TnyTwr permit ip 10.10.1.0 255.255.255.0 10.10.2.0 255.2
55.255.0
access-list no_nat permit ip 10.10.1.0 255.255.255.0 10.10.2.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside1 1500
ip address outside X.X.105.9 255.255.255.0
ip address inside1 10.10.1.1 255.255.255.0
multicast interface inside1
ip audit info action alarm
ip audit attack action alarm
ip local pool GW 10.10.4.1-10.10.4.254
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside1) 0 access-list no_nat
nat (inside1) 1 0.0.0.0 0.0.0.0 0 0
static (inside1,outside) X.X.105.36 10.10.1.36 netmask 255.255.255.255 0 0
static (inside1,outside) X.X.105.37 10.10.1.37 netmask 255.255.255.255 0 0
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 X.X.105.250 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set kraset esp-3des esp-md5-hmac
crypto dynamic-map kra-dyn-map 10 set transform-set kraset
crypto map kra-map 20 ipsec-isakmp
crypto map kra-map 20 match address division_to_TnyTwr
crypto map kra-map 20 set peer X.X.105.10
crypto map kra-map 20 set transform-set kraset
crypto map kra-map interface outside
isakmp enable outside
isakmp key ******** address X.X.105.10 netmask 255.255.255.255 no-xauth no-co
nfig-mode
isakmp identity address
isakmp keepalive 10 5
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 1
isakmp policy 20 lifetime 1000
isakmp policy 90 authentication pre-share
isakmp policy 90 encryption 3des
isakmp policy 90 hash sha
isakmp policy 90 group 2
isakmp policy 90 lifetime 1000
vpngroup neavpn address-pool GW
vpngroup neavpn split-tunnel SplitTunnel
vpngroup neavpn idle-time 1800
vpngroup neavpn password ********
vpngroup cci address-pool GW
vpngroup cci split-tunnel SplitTunnel
vpngroup cci idle-time 1800
vpngroup cci password ********
telnet X.X.105.9 255.255.255.255 outside
telnet 10.10.0.0 255.255.0.0 inside1
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 10.10.1.50-10.10.1.254 inside1
dhcpd dns X.X.105.1 X.X.105.2
dhcpd lease 9000
dhcpd ping_timeout 750
dhcpd domain granitewave.com
dhcpd enable inside1
terminal width 80
Cryptochecksum:1a6a24cceb5
Division(config)# access-list SplitTunnel permit ip 10.10.1.0 255.255.255.0 10$
Division(config)# vpngroup neavpn split-tunnel SplitTunnel
Division(config)# vpngroup cci split-tunnel SplitTunnel
Division(config)# wr mem
Building configuration...
Cryptochecksum: 73cc69ac c8113215 4a6e3e16 9f3ae7f0
[OK]
Division(config)# ip address inside 10.10.1.1 255.255.255.0
Division(config)# wr mem
Building configuration...
Cryptochecksum: 73cc69ac c8113215 4a6e3e16 9f3ae7f0
[OK]
Division(config)# sho conf
: Saved
: Written by enable_15 at 19:57:30.400 UTC Tue Jun 13 2006
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside1 security4
enable password IrCeK8fT0qca/Vry encrypted
passwd AOy7VwYFtREuO1jy encrypted
hostname Division
domain-name granitewave.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside_in permit ip any host X.X.105.36
access-list outside_in permit ip any host X.X.105.37
access-list outside_in permit ip any host X.X.105.38
access-list outside_in permit icmp any any
access-list division_to_TnyTwr permit ip 10.10.1.0 255.255.255.0 10.10.2.0 255.2
55.255.0
access-list SplitTunnel permit ip 10.10.1.0 255.255.255.0 10.10.4.0 255.255.255.
0
access-list no_nat permit ip 10.10.1.0 255.255.255.0 10.10.2.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside1 1500
ip address outside X.X.105.9 255.255.255.0
ip address inside1 10.10.1.1 255.255.255.0
multicast interface inside1
ip audit info action alarm
ip audit attack action alarm
ip local pool GW 10.10.4.1-10.10.4.254
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside1) 0 access-list no_nat
nat (inside1) 1 0.0.0.0 0.0.0.0 0 0
static (inside1,outside) X.X.105.36 10.10.1.36 netmask 255.255.255.255 0 0
static (inside1,outside) X.X.105.37 10.10.1.37 netmask 255.255.255.255 0 0
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 X.X.105.250 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set kraset esp-3des esp-md5-hmac
crypto dynamic-map kra-dyn-map 10 set transform-set kraset
crypto map kra-map 20 ipsec-isakmp
crypto map kra-map 20 match address division_to_TnyTwr
crypto map kra-map 20 set peer X.X.105.10
crypto map kra-map 20 set transform-set kraset
crypto map kra-map interface outside
isakmp enable outside
isakmp key ******** address X.X.105.10 netmask 255.255.255.255 no-xauth no-co
nfig-mode
isakmp identity address
isakmp keepalive 10 5
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 1
isakmp policy 20 lifetime 1000
isakmp policy 90 authentication pre-share
isakmp policy 90 encryption 3des
isakmp policy 90 hash sha
isakmp policy 90 group 2
isakmp policy 90 lifetime 1000
vpngroup neavpn address-pool GW
vpngroup neavpn split-tunnel SplitTunnel
vpngroup neavpn idle-time 1800
vpngroup neavpn password ********
vpngroup cci address-pool GW
vpngroup cci split-tunnel SplitTunnel
vpngroup cci idle-time 1800
vpngroup cci password ********
telnet X.X.105.9 255.255.255.255 outside
telnet 10.10.0.0 255.255.0.0 inside1
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 10.10.1.50-10.10.1.254 inside1
dhcpd dns X.X.105.1 X.X.105.2
dhcpd lease 9000
dhcpd ping_timeout 750
dhcpd domain granitewave.com
dhcpd enable inside1
terminal width 80
Cryptochecksum:73cc69acc81
Division(config)#
I can get from 10.10.2.0 network to 10.10.1.0 network but not all
I have some web based apps on both network that are from the 2-10 ips that I need cross access to but not to give real IPs.
here are the configs
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside1 security7
enable password IrCeK8fT0qca/Vry encrypted
passwd AOy7VwYFtREuO1jy encrypted
hostname ToniTwr
domain-name granitewave.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside_in permit ip any host X.X.105.38
access-list outside_in permit icmp any any
access-list outside_in permit ip any host X.X.105.5
access-list outside_in permit tcp any host X.X.105.5 eq www
access-list outside_in permit tcp any host X.X.105.5 eq 3389
access-list TnyTwr_to_division permit ip 10.10.2.0 255.255.255.0 10.10.1.0 255.2
55.255.0
access-list no_nat permit ip 10.10.2.0 255.255.255.0 10.10.1.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside1 1500
ip address outside X.X.105.10 255.255.255.0
ip address inside1 10.10.2.1 255.255.255.0
multicast interface inside1
ip audit info action alarm
ip audit attack action alarm
ip local pool GW 10.10.3.1-10.10.3.254
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside1) 0 access-list no_nat
nat (inside1) 1 0.0.0.0 0.0.0.0 0 0
static (inside1,outside) X.X.105.38 10.10.2.38 netmask 255.255.255.255 0 0
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 X.X.105.250 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set kraset esp-3des esp-md5-hmac
crypto dynamic-map kra-map 10 set transform-set kraset
crypto map kra-map 20 ipsec-isakmp
crypto map kra-map 20 match address TnyTwr_to_division
crypto map kra-map 20 set peer X.X.105.9
crypto map kra-map 20 set transform-set kraset
crypto map kra-map 30 ipsec-isakmp dynamic kra-map
crypto map kra-map interface outside
isakmp enable outside
isakmp key ******** address X.X.105.9 netmask 255.255.255.255 no-xauth no-con
fig-mode
isakmp identity address
isakmp keepalive 10 5
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 1
isakmp policy 20 lifetime 1000
isakmp policy 90 authentication pre-share
isakmp policy 90 encryption 3des
isakmp policy 90 hash md5
isakmp policy 90 group 2
isakmp policy 90 lifetime 1000
vpngroup neavpn address-pool GW
vpngroup neavpn idle-time 1800
vpngroup neavpn password ********
vpngroup cci address-pool GW
vpngroup cci idle-time 1800
vpngroup cci password ********
telnet 10.10.0.0 255.255.0.0 inside1
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 10
console timeout 0
dhcpd address 10.10.2.40-10.10.2.254 inside1
dhcpd dns X.X.105.1 X.X.105.2
dhcpd lease 9000
dhcpd ping_timeout 750
dhcpd domain granitewave.com
dhcpd enable inside1
terminal width 80
2nd PIX
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside1 security4
enable password IrCeK8fT0qca/Vry encrypted
passwd AOy7VwYFtREuO1jy encrypted
hostname Division
domain-name granitewave.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside_in permit ip any host X.X.105.36
access-list outside_in permit ip any host X.X.105.37
access-list outside_in permit ip any host X.X.105.38
access-list outside_in permit icmp any any
access-list division_to_TnyTwr permit ip 10.10.1.0 255.255.255.0 10.10.2.0 255.2
55.255.0
access-list no_nat permit ip 10.10.1.0 255.255.255.0 10.10.2.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside1 1500
ip address outside X.X.105.9 255.255.255.0
ip address inside1 10.10.1.1 255.255.255.0
multicast interface inside1
ip audit info action alarm
ip audit attack action alarm
ip local pool GW 10.10.4.1-10.10.4.254
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside1) 0 access-list no_nat
nat (inside1) 1 0.0.0.0 0.0.0.0 0 0
static (inside1,outside) X.X.105.36 10.10.1.36 netmask 255.255.255.255 0 0
static (inside1,outside) X.X.105.37 10.10.1.37 netmask 255.255.255.255 0 0
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 X.X.105.250 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set kraset esp-3des esp-md5-hmac
crypto dynamic-map kra-dyn-map 10 set transform-set kraset
crypto map kra-map 20 ipsec-isakmp
crypto map kra-map 20 match address division_to_TnyTwr
crypto map kra-map 20 set peer X.X.105.10
crypto map kra-map 20 set transform-set kraset
crypto map kra-map interface outside
isakmp enable outside
isakmp key ******** address X.X.105.10 netmask 255.255.255.255 no-xauth no-co
nfig-mode
isakmp identity address
isakmp keepalive 10 5
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 1
isakmp policy 20 lifetime 1000
isakmp policy 90 authentication pre-share
isakmp policy 90 encryption 3des
isakmp policy 90 hash sha
isakmp policy 90 group 2
isakmp policy 90 lifetime 1000
vpngroup neavpn address-pool GW
vpngroup neavpn split-tunnel SplitTunnel
vpngroup neavpn idle-time 1800
vpngroup neavpn password ********
vpngroup cci address-pool GW
vpngroup cci split-tunnel SplitTunnel
vpngroup cci idle-time 1800
vpngroup cci password ********
telnet X.X.105.9 255.255.255.255 outside
telnet 10.10.0.0 255.255.0.0 inside1
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 10.10.1.50-10.10.1.254 inside1
dhcpd dns X.X.105.1 X.X.105.2
dhcpd lease 9000
dhcpd ping_timeout 750
dhcpd domain granitewave.com
dhcpd enable inside1
terminal width 80
Cryptochecksum:1a6a24cceb5
Division(config)# access-list SplitTunnel permit ip 10.10.1.0 255.255.255.0 10$
Division(config)# vpngroup neavpn split-tunnel SplitTunnel
Division(config)# vpngroup cci split-tunnel SplitTunnel
Division(config)# wr mem
Building configuration...
Cryptochecksum: 73cc69ac c8113215 4a6e3e16 9f3ae7f0
[OK]
Division(config)# ip address inside 10.10.1.1 255.255.255.0
Division(config)# wr mem
Building configuration...
Cryptochecksum: 73cc69ac c8113215 4a6e3e16 9f3ae7f0
[OK]
Division(config)# sho conf
: Saved
: Written by enable_15 at 19:57:30.400 UTC Tue Jun 13 2006
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside1 security4
enable password IrCeK8fT0qca/Vry encrypted
passwd AOy7VwYFtREuO1jy encrypted
hostname Division
domain-name granitewave.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside_in permit ip any host X.X.105.36
access-list outside_in permit ip any host X.X.105.37
access-list outside_in permit ip any host X.X.105.38
access-list outside_in permit icmp any any
access-list division_to_TnyTwr permit ip 10.10.1.0 255.255.255.0 10.10.2.0 255.2
55.255.0
access-list SplitTunnel permit ip 10.10.1.0 255.255.255.0 10.10.4.0 255.255.255.
0
access-list no_nat permit ip 10.10.1.0 255.255.255.0 10.10.2.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside1 1500
ip address outside X.X.105.9 255.255.255.0
ip address inside1 10.10.1.1 255.255.255.0
multicast interface inside1
ip audit info action alarm
ip audit attack action alarm
ip local pool GW 10.10.4.1-10.10.4.254
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside1) 0 access-list no_nat
nat (inside1) 1 0.0.0.0 0.0.0.0 0 0
static (inside1,outside) X.X.105.36 10.10.1.36 netmask 255.255.255.255 0 0
static (inside1,outside) X.X.105.37 10.10.1.37 netmask 255.255.255.255 0 0
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 X.X.105.250 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set kraset esp-3des esp-md5-hmac
crypto dynamic-map kra-dyn-map 10 set transform-set kraset
crypto map kra-map 20 ipsec-isakmp
crypto map kra-map 20 match address division_to_TnyTwr
crypto map kra-map 20 set peer X.X.105.10
crypto map kra-map 20 set transform-set kraset
crypto map kra-map interface outside
isakmp enable outside
isakmp key ******** address X.X.105.10 netmask 255.255.255.255 no-xauth no-co
nfig-mode
isakmp identity address
isakmp keepalive 10 5
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 1
isakmp policy 20 lifetime 1000
isakmp policy 90 authentication pre-share
isakmp policy 90 encryption 3des
isakmp policy 90 hash sha
isakmp policy 90 group 2
isakmp policy 90 lifetime 1000
vpngroup neavpn address-pool GW
vpngroup neavpn split-tunnel SplitTunnel
vpngroup neavpn idle-time 1800
vpngroup neavpn password ********
vpngroup cci address-pool GW
vpngroup cci split-tunnel SplitTunnel
vpngroup cci idle-time 1800
vpngroup cci password ********
telnet X.X.105.9 255.255.255.255 outside
telnet 10.10.0.0 255.255.0.0 inside1
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 10.10.1.50-10.10.1.254 inside1
dhcpd dns X.X.105.1 X.X.105.2
dhcpd lease 9000
dhcpd ping_timeout 750
dhcpd domain granitewave.com
dhcpd enable inside1
terminal width 80
Cryptochecksum:73cc69acc81
Division(config)#
Compare the default gateway settings and subnet masks on the hosts that you can and cannot get to.
Host Default gateway should point to the PIX' inside IP
Host Subnet mask must be 255.255.255.0
On Division, add this line for the VPN users:
access-list no_nat permit ip 10.10.1.0 255.255.255.0 10.10.4.0 255.255.255.0
On the other one, add this line
access-list no_nat permit ip 10.10.2.0 255.255.255.0 10.10.4.0 255.255.255.0
Host Default gateway should point to the PIX' inside IP
Host Subnet mask must be 255.255.255.0
On Division, add this line for the VPN users:
access-list no_nat permit ip 10.10.1.0 255.255.255.0 10.10.4.0 255.255.255.0
On the other one, add this line
access-list no_nat permit ip 10.10.2.0 255.255.255.0 10.10.4.0 255.255.255.0
ASKER
What if I don't want to have the VPN clients access it but just use the ipsec tunnel from PIX to PIX to allow http access
for instance just a normal pc on the net no VPN Client on 10.10.1.1 wants to get to an http site on 10.10.10.2.1 network do i need an access list?
thanks for all the help.
Almost there. All pix's are talking now.
This network was setup before i got here and couldn't change IP Subnets or I could of gotten done myself.
for instance just a normal pc on the net no VPN Client on 10.10.1.1 wants to get to an http site on 10.10.10.2.1 network do i need an access list?
thanks for all the help.
Almost there. All pix's are talking now.
This network was setup before i got here and couldn't change IP Subnets or I could of gotten done myself.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks. They had to change the Subnet mask and then all was fine. Thanks for all the help
Show cry isa sa
Show cry ipsec sa
Thanks!