Solved

Cisco PIX to PIX VPN Routing

Posted on 2006-07-18
21
1,539 Views
Last Modified: 2013-11-29
I have a site to site VPN using Cisco PIX firewalls, which all seems to be working fine - but only for the networks connectted directly to the firewalls. I have internal routers at each of the VPN sites but traffic from these additional networks will not traverse the VPN.

Can anyone tell me what I need to do to fix this please?

Thanks!
0
Comment
Question by:PJRimmer
  • 10
  • 9
  • 2
21 Comments
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17130227
1. At each site, on the pix you need to have a route pointing back to the router for those other networks.

2. In the PIX configuration you need to add all those to the 'nonat' access-list (The access-list used to avoid natting when the traffic goes through vpn tunnel).

If you still have problems understanding, post the configuration and also mention about the other networks (IP ranges).

Cheers,
Rajesh
0
 
LVL 9

Expert Comment

by:NYtechGuy
ID: 17130563
further to that - on the internal routers you need to have a route for all other networks
0
 

Author Comment

by:PJRimmer
ID: 17130583
I tried configuring IPSec tunnels for each of the additional networks, which means they are already in the nonat access-list I believe? Should I removed them as tunnels and create a seperate nonat access-list?

Each PIX already has static routes pointing to back to the local routers for the additional networks!

I'll start editing the configs so I can post them.
0
 
LVL 9

Expert Comment

by:NYtechGuy
ID: 17130792


Please post the configs, and perhaps a simple network diagram if you can.
0
 

Author Comment

by:PJRimmer
ID: 17130844
Configs as follows:

HQ PIX:

access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 172.120.0.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 192.100.140.0 255.255.255.0 172.120.0.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 192.168.200.60 255.255.255.252
access-list inside_outbound_nat0_acl permit ip 192.100.140.0 255.255.255.0 192.168.200.60 255.255.255.252
access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 192.168.53.0 255.255.255.252
access-list inside_outbound_nat0_acl permit ip 192.100.140.0 255.255.255.0 192.168.53.0 255.255.255.0
access-list outside_cryptomap_20 permit ip 192.168.1.0 255.255.255.0 172.120.0.0 255.255.255.0
access-list outside_cryptomap_20 permit ip 192.100.140.0 255.255.255.0 172.120.0.0 255.255.255.0
access-list outside_cryptomap_20 permit ip 192.168.1.0 255.255.255.0 192.168.200.60 255.255.255.252
access-list outside_cryptomap_20 permit ip 192.100.140.0 255.255.255.0 192.168.200.60 255.255.255.252
access-list outside_cryptomap_20 permit ip 192.168.1.0 255.255.255.0 192.168.53.0 255.255.255.252
access-list outside_cryptomap_20 permit ip 192.100.140.0 255.255.255.0 192.168.53.0 255.255.255.0

ip address inside 192.100.140.21 255.255.255.0

nat (inside) 0 access-list inside_outbound_nat0_acl

route inside 192.168.0.0 255.255.0.0 192.100.140.1 1


Remote Site PIX:

access-list inside_outbound_nat0_acl permit ip 172.120.0.0 255.255.255.0 192.100.140.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 172.120.0.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 192.168.200.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 192.168.200.0 255.255.255.0 192.100.140.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 192.168.53.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 192.168.53.0 255.255.255.0 192.100.140.0 255.255.255.0
access-list outside_cryptomap_20 permit ip 172.120.0.0 255.255.255.0 192.100.140.0 255.255.255.0
access-list outside_cryptomap_20 permit ip 172.120.0.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list outside_cryptomap_20 permit ip 192.168.200.60 255.255.255.252 192.168.1.0 255.255.255.0
access-list outside_cryptomap_20 permit ip 192.168.200.60 255.255.255.252 192.100.140.0 255.255.255.0
access-list outside_cryptomap_20 permit ip 192.168.53.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list outside_cryptomap_20 permit ip 192.168.53.0 255.255.255.0 192.100.140.0 255.255.255.0

ip address inside 172.120.0.11 255.255.255.0

nat (inside) 0 access-list inside_outbound_nat0_acl

route inside 192.168.53.0 255.255.255.0 172.120.0.10 1
route inside 192.168.200.60 255.255.255.252 172.120.0.10 1


The routers at each site have default routes which point to their firewall.

I can ping between 192.100.140.0 (HQ direct) and 172.120.0.0 (remote direct) networks no problem, and also between 192.168.1.0 (HQ additional network with IPsec tunnel) and 172.120.0.0 (remote direct) networks. It is only these two tunnels that are established.

However I can't ping the 192.168.53.0 or 192.168.200.60 networks from either of the HQ networks.

Let me know if that didn't make sense!
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17130953
>>route inside 192.168.0.0 255.255.0.0 192.100.140.1 1

You shouldn't do this;

Add individual networks, all of them;

route inside 192.168.1.0 255.255.255.0 192.100.140.1
route inside 192.168.140.0 255.255.255.0 192.100.140.1

the above at site 1;

Then see if it helps.

Cheers,
Rajesh


0
 

Author Comment

by:PJRimmer
ID: 17131234
I don't have a 192.168.140.0 network, but I have added:
route inside 192.168.1.0 255.255.255.0 192.100.140.1

I can't really remove this line (route inside 192.168.0.0 255.255.0.0 192.100.140.1 1) because we have loads of internal 192.168 networks which aren't idividually configured.

Still not working.
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17131283
Your HQ nonat access-list has only .1 and .140 configured in them. Now you don't have .140, then what is not working ? I am confused.

Cheers,
Rajesh
0
 

Author Comment

by:PJRimmer
ID: 17131326
It's 192.100.140.0 NOT 192.168.140.0
0
 

Author Comment

by:PJRimmer
ID: 17133206
Not sure if this is related but the "sysopt connection permit-ipsec" doesn't appear to be doing it's job.

e.g. I have an access-list on the inside interface of the HQ PIX which amongst other things blocks smtp traffic from leaving the network and getting out onto the internet. However the same rule is also blocking smtp traffic getting into the VPN tunnel to the remote site - could this be linked to my original question and how do I get around it?

Thanks in advance!
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 32

Expert Comment

by:rsivanandan
ID: 17135740
It would be of real help if you could post your configuration here. Now you see I don't know anything about the access-list until you mentioned it. So just sanitize your configuration and post it here (Public ips, just remove the first or second octect and it will be fine)

Cheers,
Rajesh
0
 

Author Comment

by:PJRimmer
ID: 17136914
I've inherited these configs from previous engineers so they are a bit of a mess in places!

HQ Config:

Building configuration...
: Saved
:
PIX Version 6.3(1)
interface ethernet0 10baset
interface ethernet1 10baset
interface ethernet2 100full
interface ethernet3 auto shutdown
interface ethernet4 auto shutdown
interface ethernet5 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ security10
nameif ethernet3 intf3 security15
nameif ethernet4 intf4 security20
nameif ethernet5 Stateful_Fail_Link security90
enable password xxxxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxxx encrypted
hostname NWPCT-Pix
domain-name nw-tr.wmids.nhs.uk
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
name xxx.62.42.123 SMTP_Relay
name xxx.xxx.46.200 DNS_server
name xxx.xxx.46.201 TotalCare_server
name xxx.xxx.46.202 Mkeowns_Alpha
name xxx.xxx.46.203 SeagateReport_server
name xxx.xxx.46.204 PHC_server
name xxx.xxx.46.205 Intranet_server
name xxx.xxx.46.206 EBA_server
name xxx.xxx.46.207 ITweb_server
name xxx.xxx.46.208 Terminal_server
name xxx.203.48.248 HBOC
name xxx.62.42.67 NHS_X400
name xxx.xxx.46.103 Content_Keeper_Ex
name 192.100.140.23 Content_Keeper_Int
name xxx.148.136.3 Protechnic
name xxx.xxx.46.102 rugbyPCT_exchange
name xxx.xxx.46.100 NWPCT_exchange
name xxx.62.102.166 McKesson_Acc_BirmCH
name 172.18.129.0 DR_Street_Surgery
name xxx.189.104.206 Westgate_Hse_Mconnect
name xxx.101.245.59 Westgate_Hse_DataWarehouse
name xxx.xxx.46.xxx Robin_Turton
name xxx.189.104.202 Westgate_Hse_Exeter_ICM
name xxx.xxx.46.104 E500_Webshield
name xxx.xxx.46.215 Caroline_Culligan
name xxx.xxx.46.214 Robbie_Sharma
name xxx.xxx.46.216 New_Finance_Sun_System
name xxx.xxx.46.217 EDS_SQL_Server
name xxx.xxx.46.218 KeyIT_Server
name 192.168.13.5 New_Docs_Rep1_Int
name 192.168.13.6 New_Docs_Rep2_Int
name 192.168.13.8 New_Docs_Triage1_Int
name 192.168.13.9 New_Docs_Triage2_Int
name 192.168.13.10 New_Docs_Triage3_Int
name 192.168.13.11 New_Docs_Consult1_Int
name 192.168.13.12 New_Docs_Consult2_Int
name 192.168.13.13 New_Docs_Consult3_Int
name 192.168.13.14 New_Docs_Consult4_Int
name 192.168.13.15 New_Docs_Consult5_Int
name 192.168.13.16 New_Docs_VoiceRec_Int
name 192.168.13.17 New_Docs_LaserPrint_Int
name 192.168.13.7 New_Docs_Map_Int
name xxx.xxx.46.157 New_Docs_Map_ext
name xxx.xxx.46.219 IT_Network_ECALCs_Server
name 192.168.13.18 New_Docs_Old1_Int
name 192.168.13.19 New_Docs_Old2_Int
name xxx.xxx.46.168 New_Docs_Old1_Ext
name xxx.xxx.46.169 New_Docs_Old2_Ext
name 192.168.1.28 KeyIT_Server_Int
name xxx.xxx.46.101 Esmtprelay
name 192.100.140.28 Proxy
name 192.100.140.30 NWPCTEXCH01
name 192.100.140.37 NEW-SQL-SERVER
name 192.100.140.35 TRUST
name 192.100.140.99 BARACUDA
name 192.100.140.31 WEBMAIL
name 192.100.140.20 HPOV
name 192.100.100.58 n-warks_Sun_OS
name 192.100.140.242 warwick_SUN_OS
name 192.100.105.2 ESTATES
name 192.100.100.22 NTS_EARLS_RD
name 192.100.140.33 ESMTPRELAY_Virtual
name 192.100.140.26 NWREP
name 192.100.140.25 TOTALCARE
name 192.100.140.24 ESMTPRELAY
name 192.168.1.27 TERMSERV1
name 192.168.1.37 FINANCE-ECALCS
name 192.168.199.0 GEH_New
name 192.168.13.0 GEH_AdAstra
name xxx.xxx.46.155 New_Docs_Rep1_ext
name xxx.xxx.46.167 New_Docs_LaserPrint_ext
name xxx.xxx.46.166 New_Docs_VoiceRec_ext
name xxx.xxx.46.165 New_Docs_Consult5_ext
name xxx.xxx.46.164 New_Docs_Consult4_ext
name xxx.xxx.46.163 New_Docs_Consult3_ext
name xxx.xxx.46.162 New_Docs_Consult2_ext
name xxx.xxx.46.161 New_Docs_Consult1_ext
name xxx.xxx.46.160 New_Docs_Triage3_ext
name xxx.xxx.46.159 New_Docs_Triage2_ext
name xxx.xxx.46.158 New_Docs_Triage1_ext
name xxx.xxx.46.156 New_Docs_Rep2_ext
name 10.129.113.0 Ad-Astra_Servers
name 10.206.4.37 MConnect_Server
name 10.206.4.33 Exeter_Server
name xxx.xxx.46.211 Mike_Graveney_Ext
name 192.100.180.95 Mike_Graveney_Int
name xxx.xxx.46.209 Paul_GORDON_ext
name 192.100.140.8 Paul_Gordon_Int
name 192.168.1.240 IT_Department
name 10.129.117.11 esrnhshub.mhapp.nhs.uk
name xxx.xxx.46.220 ESR_FTP_Ext
name 192.168.1.52 ESR_FTP_Int
name 62.130.239.0 nhs.net
name 192.100.140.16 Cohort
name xxx.61.123.9 paymentservices.bacs.co.uk
name xxx.62.42.148 DTS_Server
name 172.120.0.0 Swift_Park
name 192.168.1.0 PBS
name 192.168.53.0 Rugby_CNN
name 192.168.200.60 Rugby_WAN
name 192.168.200.0 Rugby_CNN_WAN
object-group network securedial_access
  network-object host xxx.xxx.155.96
  network-object host xxx.xxx.155.99
  network-object host xxx.xxx.155.98
  network-object host xxx.xxx.155.97
object-group network totalcare_access
  network-object host HBOC
  network-object xxx.101.246.0 255.255.255.0
object-group network exchange_access
  network-object host xxx.155.160.22
object-group network nhs-relay_access
  network-object host Esmtprelay
  network-object host rugbyPCT_exchange
  network-object host E500_Webshield
  network-object host xxx.xxx.46.105
object-group network NWPCTexchange_access
  network-object 172.24.226.0 255.255.255.224
  network-object 172.21.32.96 255.255.255.224
  network-object 172.18.129.32 255.255.255.224
object-group network torex-finance-system
  network-object 159.170.136.0 255.255.252.0
  network-object 159.170.175.0 255.255.255.0
  network-object 159.170.107.0 255.255.255.0
  network-object host 159.170.59.36
object-group network EDS_Connection
  network-object host 62.130.104.66
  network-object host 62.130.104.40
object-group network KeyIT_System_Internal
  network-object host New_Docs_Rep1_ext
  network-object host New_Docs_Rep2_ext
  network-object host New_Docs_Map_ext
  network-object host New_Docs_Triage1_ext
  network-object host New_Docs_Triage2_ext
  network-object host New_Docs_Triage3_ext
  network-object host New_Docs_Consult1_ext
  network-object host New_Docs_Consult2_ext
  network-object host New_Docs_Consult3_ext
  network-object host New_Docs_Consult4_ext
  network-object host New_Docs_Consult5_ext
  network-object host New_Docs_VoiceRec_ext
  network-object host New_Docs_LaserPrint_ext
  network-object host New_Docs_Old1_Ext
  network-object host New_Docs_Old2_Ext
object-group network KeyIT_System_External
  network-object host 10.129.113.8
  network-object host 10.129.113.9
  network-object xxx.189.122.144 255.255.255.240
  network-object host 10.129.113.2
  network-object host 10.129.113.3
object-group network nhs-relay_access_real
  network-object BARACUDA 255.255.255.255
  network-object 192.100.140.42 255.255.255.255
  network-object ESMTPRELAY_Virtual 255.255.255.255
  network-object ESMTPRELAY 255.255.255.255
object-group network KeyIT_System_Internal_real
  network-object New_Docs_Rep1_Int 255.255.255.255
  network-object New_Docs_Rep2_Int 255.255.255.255
  network-object New_Docs_Map_Int 255.255.255.255
  network-object New_Docs_Triage1_Int 255.255.255.255
  network-object New_Docs_Triage2_Int 255.255.255.255
  network-object New_Docs_Triage3_Int 255.255.255.255
  network-object New_Docs_Consult1_Int 255.255.255.255
  network-object New_Docs_Consult2_Int 255.255.255.255
  network-object New_Docs_Consult3_Int 255.255.255.255
  network-object New_Docs_Consult4_Int 255.255.255.255
  network-object New_Docs_Consult5_Int 255.255.255.255
  network-object New_Docs_VoiceRec_Int 255.255.255.255
  network-object New_Docs_LaserPrint_Int 255.255.255.255
  network-object New_Docs_Old1_Int 255.255.255.255
  network-object New_Docs_Old2_Int 255.255.255.255
object-group network Ad-Astra_Internal
  description Ad-Astra Internal IP's.
  network-object New_Docs_Rep1_Int 255.255.255.255
  network-object New_Docs_Rep2_Int 255.255.255.255
  network-object New_Docs_Map_Int 255.255.255.255
  network-object New_Docs_Triage1_Int 255.255.255.255
  network-object New_Docs_Triage2_Int 255.255.255.255
  network-object New_Docs_Triage3_Int 255.255.255.255
  network-object New_Docs_Consult1_Int 255.255.255.255
  network-object New_Docs_Consult2_Int 255.255.255.255
  network-object New_Docs_Consult3_Int 255.255.255.255
  network-object New_Docs_Consult4_Int 255.255.255.255
  network-object New_Docs_Consult5_Int 255.255.255.255
  network-object New_Docs_VoiceRec_Int 255.255.255.255
  network-object New_Docs_LaserPrint_Int 255.255.255.255
  network-object New_Docs_Old1_Int 255.255.255.255
  network-object New_Docs_Old2_Int 255.255.255.255
object-group network Ad-Astra_External
  description Ad-Astra External IP addresses
  network-object New_Docs_Rep1_ext 255.255.255.255
  network-object New_Docs_Rep2_ext 255.255.255.255
  network-object New_Docs_Triage1_ext 255.255.255.255
  network-object New_Docs_Triage2_ext 255.255.255.255
  network-object New_Docs_Triage3_ext 255.255.255.255
  network-object New_Docs_Consult1_ext 255.255.255.255
  network-object New_Docs_Consult2_ext 255.255.255.255
  network-object New_Docs_Consult3_ext 255.255.255.255
  network-object New_Docs_Consult4_ext 255.255.255.255
  network-object New_Docs_Consult5_ext 255.255.255.255
  network-object New_Docs_VoiceRec_ext 255.255.255.255
  network-object New_Docs_LaserPrint_ext 255.255.255.255
object-group network Ad-Astra_Internal_ref
  network-object New_Docs_Rep1_ext 255.255.255.255
  network-object New_Docs_Rep2_ext 255.255.255.255
  network-object New_Docs_Map_ext 255.255.255.255
  network-object New_Docs_Triage1_ext 255.255.255.255
  network-object New_Docs_Triage2_ext 255.255.255.255
  network-object New_Docs_Triage3_ext 255.255.255.255
  network-object New_Docs_Consult1_ext 255.255.255.255
  network-object New_Docs_Consult2_ext 255.255.255.255
  network-object New_Docs_Consult3_ext 255.255.255.255
  network-object New_Docs_Consult4_ext 255.255.255.255
  network-object New_Docs_Consult5_ext 255.255.255.255
  network-object New_Docs_VoiceRec_ext 255.255.255.255
  network-object New_Docs_LaserPrint_ext 255.255.255.255
  network-object New_Docs_Old1_Ext 255.255.255.255
  network-object New_Docs_Old2_Ext 255.255.255.255
object-group network Exeter_Users
  description Users of the Exeter Server
  network-object Mike_Graveney_Int 255.255.255.255
  network-object Paul_Gordon_Int 255.255.255.255
object-group network MConnect_Users
  description Users of the MConnect server
  network-object Paul_Gordon_Int 255.255.255.255
  network-object Mike_Graveney_Int 255.255.255.255
object-group service FTP tcp
  description FTP Access
  port-object eq ftp-data
  port-object eq ftp
object-group service Audio tcp
  description Streeming Audio, like Radio stations etc.
  port-object eq 9001
  port-object eq 9000
  port-object eq 8001
  port-object eq 9010
  port-object eq 8000
object-group network ESR_Outbound
  description ESR Live, Training and Test servers
  network-object 62.130.47.32 255.255.255.224
  network-object 149.21.70.0 255.255.255.0
object-group network ESR_Inbound
  description ESR Additional hosts
  network-object 10.129.117.0 255.255.255.224
  network-object 10.129.117.128 255.255.255.224
  network-object 62.130.47.32 255.255.255.224
  network-object 149.21.70.0 255.255.255.0
object-group service ESR_Outbound_Ports tcp
  description Ports required for ESR testing out
  port-object eq 8000
  port-object eq 8001
  port-object eq 9001
  port-object eq 8052
  port-object eq 8055
  port-object eq 9055
  port-object eq 8061
  port-object eq 9061
  port-object eq 8062
  port-object eq 9062
  port-object eq 8063
  port-object eq 9063
  port-object eq 8064
  port-object eq 9064
object-group service NOT_HTTP_HTTPS tcp-udp
  description Allow all IP except ports 80 & 443.
  port-object range 81 442
  port-object range 1 79
  port-object range 444 65535
access-list outside_access_in remark Allow the ability to ping the outside world
access-list outside_access_in permit icmp any any
access-list outside_access_in deny tcp any host xxx.xxx.46.184
access-list outside_access_in remark Allow e-mailes in to any of our e-mail servers.
access-list outside_access_in permit tcp host SMTP_Relay object-group nhs-relay_access eq smtp
access-list outside_access_in permit tcp 10.184.13.0 255.255.255.0 host Terminal_server
access-list outside_access_in remark Allows RAdmin Port for all NewDoc PC's!
access-list outside_access_in permit tcp object-group KeyIT_System_External object-group KeyIT_System_Internal eq 4899
access-list outside_access_in remark ???? Microsoft-SQL-Server
access-list outside_access_in permit tcp host xxx.189.101.85 host IT_Network_ECALCs_Server eq 1433
access-list outside_access_in deny tcp host xxx.xxx.46.184 any
access-list outside_access_in remark Looks like it allows all ports open for NewDoc PC's
access-list outside_access_in permit tcp object-group KeyIT_System_External object-group KeyIT_System_Internal
access-list outside_access_in remark ???? MS WBT Server
access-list outside_access_in permit tcp host xxx.189.101.10 host KeyIT_Server eq 3389
access-list outside_access_in remark Allow SMTP traffic to ESMPT_RELAY Server virtual port Number.
access-list outside_access_in permit tcp host xxx.227.65.1 host E500_Webshield eq smtp
access-list outside_access_in remark ???? Allow ftp from xxx.xxx.155.96 to the ESTATES Novell Server
access-list outside_access_in permit tcp host xxx.xxx.155.96 host EBA_server eq ftp
access-list outside_access_in permit ip object-group securedial_access any
access-list outside_access_in permit ip host xxx.216.97.222 any
access-list outside_access_in remark Allow FTP access to our TOTALCARE Server
access-list outside_access_in permit tcp host HBOC host TotalCare_server eq ftp
access-list outside_access_in permit tcp host Protechnic host xxx.105.46.204 eq telnet
access-list outside_access_in remark Allow TELNET access to our TOTALCARE Server
access-list outside_access_in permit tcp object-group totalcare_access host TotalCare_server eq telnet
access-list outside_access_in permit tcp any host Intranet_server eq www
access-list outside_access_in remark ???? Might be to allow content keeper to keep up to date by downloading updates.
access-list outside_access_in permit tcp any host Content_Keeper_Ex eq www
access-list outside_access_in permit tcp host Westgate_Hse_DataWarehouse host Caroline_Culligan
access-list outside_access_in permit tcp host Westgate_Hse_DataWarehouse host Robbie_Sharma
access-list outside_access_in remark ???? Don't Beleave this rule is required anymore!
access-list outside_access_in remark Points to an IP that isn't used.
access-list outside_access_in permit tcp any host rugbyPCT_exchange eq smtp
access-list outside_access_in remark ???? Don't Beleave this rule is required anymore!
access-list outside_access_in remark Points to an IP that isn't used.
access-list outside_access_in permit tcp 159.170.139.0 255.255.255.0 host Mkeowns_Alpha eq telnet
access-list outside_access_in remark Protechnic support of the Finance Server via TELNET
access-list outside_access_in permit tcp host Protechnic host PHC_server eq telnet
access-list outside_access_in remark ???? ISO-TSAP Class 0
access-list outside_access_in permit tcp host NHS_X400 host NWPCT_exchange eq 102
access-list outside_access_in remark ???? outside addresses have access to our exchange server!
access-list outside_access_in permit tcp object-group NWPCTexchange_access host NWPCT_exchange
access-list outside_access_in remark External maintenance of the HMT System. Source address changed 15/06/06.
access-list outside_access_in permit tcp host 10.223.224.66 host SeagateReport_server
access-list outside_access_in permit tcp host McKesson_Acc_BirmCH host TotalCare_server eq ftp
access-list outside_access_in remark Allows 1 Doctors surgery access to our groupwise webmail !!!
access-list outside_access_in permit tcp DR_Street_Surgery 255.255.255.224 host ITweb_server
access-list outside_access_in permit tcp host Protechnic host PHC_server
access-list outside_access_in permit tcp host Westgate_Hse_Mconnect any
access-list outside_access_in remark ????  Don't beleave this rule is required any more.  It refers to an IP that isn't used any more.
access-list outside_access_in permit tcp host Westgate_Hse_Mconnect host Paul_GORDON_ext
access-list outside_access_in remark DENY DCE endpoint resolution from any to any.
access-list outside_access_in deny tcp any any eq 135
access-list outside_access_in remark Deny :-
access-list outside_access_in remark   DCE endpoint resolution
access-list outside_access_in remark   PROFILE Naming System
access-list outside_access_in remark   NETBIOS Name Service
access-list outside_access_in remark   NETBIOS Datagram Service
access-list outside_access_in remark   NETBIOS Session Service
access-list outside_access_in remark from any to any.
access-list outside_access_in deny tcp any any range 135 netbios-ssn
access-list outside_access_in remark ???? Don't beleave this rule is required any more.
access-list outside_access_in remark IP address isn't used.
access-list outside_access_in permit tcp host xxx.189.104.20 host Paul_GORDON_ext eq https
access-list outside_access_in remark ???? Don't beleave this rule is required any more.
access-list outside_access_in remark IP address isn't used.
access-list outside_access_in permit ip host Westgate_Hse_Mconnect host Paul_GORDON_ext
access-list outside_access_in remark ???? Don't beleave this rule is required any more.
access-list outside_access_in remark IP address isn't used.
access-list outside_access_in permit ip host Westgate_Hse_DataWarehouse host Robin_Turton
access-list outside_access_in remark ???? Don't beleave this rule is required any more.
access-list outside_access_in remark IP address isn't used.
access-list outside_access_in permit tcp host Westgate_Hse_DataWarehouse host Robin_Turton
access-list outside_access_in remark ???? Don't beleave this rule is required any more.
access-list outside_access_in remark IP address isn't used.
access-list outside_access_in permit ip host Westgate_Hse_Exeter_ICM host Robin_Turton
access-list outside_access_in permit tcp host Westgate_Hse_DataWarehouse any
access-list outside_access_in permit ip host Westgate_Hse_Mconnect host Robin_Turton
access-list outside_access_in permit ip host Westgate_Hse_Mconnect host Caroline_Culligan
access-list outside_access_in permit ip host Westgate_Hse_Mconnect host Mike_Graveney_Ext
access-list outside_access_in permit tcp host Westgate_Hse_DataWarehouse host Paul_GORDON_ext
access-list outside_access_in permit ip host Westgate_Hse_DataWarehouse host Paul_GORDON_ext
access-list outside_access_in permit tcp object-group torex-finance-system host New_Finance_Sun_System eq telnet
access-list outside_access_in permit tcp object-group EDS_Connection host EDS_SQL_Server eq 1433
access-list outside_access_in remark ????  Looks like the rule to allow NEWDOC PC's access to browse CITRIX Servers.
access-list outside_access_in remark BUT rule is wrong way round.  It allows Citrix to browse these PC's.
access-list outside_access_in permit tcp object-group KeyIT_System_External object-group KeyIT_System_Internal eq www
access-list outside_access_in remark Allows RAdmin Port for all NewDoc PC's!
access-list outside_access_in permit tcp object-group Ad-Astra_External object-group Ad-Astra_Internal_ref eq 4899
access-list outside_access_in remark Electronic Staff Record Project FTP access - Paul Gordon 12/05/06
access-list outside_access_in permit tcp object-group ESR_Inbound host ESR_FTP_Ext eq ftp
access-list outside_access_in remark Electronic Staff Record Project Print access - Paul Gordon 12/05/06
access-list outside_access_in permit tcp object-group ESR_Inbound any eq lpd
access-list outside_access_in remark Electronic Staff Record Project FTP access - Paul Gordon 12/05/06
access-list inside_access_out permit ip any Swift_Park 255.255.255.0
access-list inside_access_out remark Baracuda Updates
access-list inside_access_out permit tcp host BARACUDA any
access-list inside_access_out remark Allow smtp traffic to NHSnet servers so users can use NHSnet accounts in Outlook - 16/06/06
access-list inside_access_out permit tcp any nhs.net 255.255.255.0 eq 587
access-list inside_access_out deny tcp any any object-group Audio
access-list inside_access_out permit tcp any host SMTP_Relay eq smtp
access-list inside_access_out permit tcp host ESMTPRELAY host SMTP_Relay eq smtp
access-list inside_access_out permit tcp host ESMTPRELAY_Virtual host SMTP_Relay eq smtp
access-list inside_access_out permit icmp any any
access-list inside_access_out deny tcp any host 80.160.91.5
access-list inside_access_out deny tcp any host 80.160.91.13
access-list inside_access_out deny tcp host xxx.xxx.46.184 any
access-list inside_access_out deny tcp any host xxx.xxx.46.184
access-list inside_access_out permit udp any any
access-list inside_access_out permit tcp any host Westgate_Hse_Mconnect eq 5555
access-list inside_access_out permit tcp any host Westgate_Hse_Mconnect
access-list inside_access_out remark ???? Don't Beleave this rule is required any more.  It points to an IP that isn't used any more.
access-list inside_access_out permit tcp host Paul_Gordon_Int host Westgate_Hse_Mconnect eq 5555
access-list inside_access_out remark Block Network News Transfer Protocol
access-list inside_access_out deny tcp any any eq nntp
access-list inside_access_out remark Block Simple Mail Transfer
access-list inside_access_out deny tcp any any eq smtp
access-list inside_access_out remark Block Post Office Protocol - Version 3
access-list inside_access_out deny tcp any any eq pop3
access-list inside_access_out remark Done beleave this rule is needed!
access-list inside_access_out permit tcp host ESMTPRELAY_Virtual any eq www
access-list inside_access_out remark Done beleave this rule is needed!
access-list inside_access_out permit tcp host ESMTPRELAY_Virtual any eq https
access-list inside_access_out remark Allow proxy to access outside HTTP web sites.
access-list inside_access_out permit tcp host Proxy any eq https
access-list inside_access_out remark Allow proxy to access outside HTTPS web sites.
access-list inside_access_out permit tcp host Proxy any eq www
access-list inside_access_out remark Done beleave this rule is needed!
access-list inside_access_out permit tcp host HPOV any eq www
access-list inside_access_out remark Done beleave this rule is needed!
access-list inside_access_out permit tcp host HPOV any eq https
access-list inside_access_out remark Allow all New-Doc Ad-Astra PC's to access the Ad-Astra Citrix Servers.
access-list inside_access_out permit tcp object-group Ad-Astra_Internal Ad-Astra_Servers 255.255.255.224 eq citrix-ica
access-list inside_access_out remark Allow all New-Doc Ad-Astra PC's to access the Ad-Astra Citrix Servers Web interface - 30/06/06
access-list inside_access_out permit tcp object-group Ad-Astra_Internal Ad-Astra_Servers 255.255.255.224 eq www
access-list inside_access_out remark Requested by Paul Gordon on 27/02/2006
access-list inside_access_out remark Allow users of the Exeter Server access to it.
access-list inside_access_out permit tcp object-group Exeter_Users host Exeter_Server
access-list inside_access_out remark Allow users of the MConnect server access to it.
access-list inside_access_out remark Requested by Paul Gordon on 27/02/2006
access-list inside_access_out permit tcp object-group MConnect_Users host MConnect_Server
access-list inside_access_out remark CRF 2229 - Electronic Staff Record Project - Paul Gordon 20/03/2006
access-list inside_access_out permit tcp any host esrnhshub.mhapp.nhs.uk object-group FTP
access-list inside_access_out remark Electronic Staff Record Project outbound access - Paul Gordon 12/05/06
access-list inside_access_out permit tcp any object-group ESR_Outbound object-group ESR_Outbound_Ports
access-list inside_access_out remark Allows BACS system to connect directly to https://paymentservices.bacs.co.uk
access-list inside_access_out permit tcp host Cohort host paymentservices.bacs.co.uk eq https
access-list inside_access_out remark Allow access to the DTS Server at McKesson - Request by Caroline Brown 30/06/06.
access-list inside_access_out permit tcp any host DTS_Server eq www
access-list inside_access_out remark Allow access to the DTS Server at McKesson - Request by Caroline Brown 30/06/06.
access-list inside_access_out permit tcp any host DTS_Server eq https
access-list inside_access_out remark Allows all IP out of the firewall except HTTP & HTTPS traffic. Needs reviewing!!!
access-list inside_access_out permit tcp any any object-group NOT_HTTP_HTTPS
access-list dmz_int permit tcp any any
access-list inside_outbound_nat0_acl permit ip PBS 255.255.255.0 Swift_Park 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 192.100.140.0 255.255.255.0 Swift_Park 255.255.255.0
access-list inside_outbound_nat0_acl permit ip PBS 255.255.255.0 Rugby_WAN 255.255.255.252
access-list inside_outbound_nat0_acl permit ip 192.100.140.0 255.255.255.0 Rugby_WAN 255.255.255.252
access-list inside_outbound_nat0_acl permit ip PBS 255.255.255.0 Rugby_CNN 255.255.255.252
access-list inside_outbound_nat0_acl permit ip 192.100.140.0 255.255.255.0 Rugby_CNN 255.255.255.0
access-list outside_cryptomap_20 permit ip PBS 255.255.255.0 Swift_Park 255.255.255.0
access-list outside_cryptomap_20 permit ip 192.100.140.0 255.255.255.0 Swift_Park 255.255.255.0
access-list outside_cryptomap_20 permit ip PBS 255.255.255.0 Rugby_WAN 255.255.255.252
access-list outside_cryptomap_20 permit ip 192.100.140.0 255.255.255.0 Rugby_WAN 255.255.255.252
access-list outside_cryptomap_20 permit ip PBS 255.255.255.0 Rugby_CNN 255.255.255.252
access-list outside_cryptomap_20 permit ip 192.100.140.0 255.255.255.0 Rugby_CNN 255.255.255.0
pager lines 24
logging on
logging buffered alerts
logging trap warnings
logging history critical
logging host inside HPOV format emblem
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
mtu intf3 1500
mtu intf4 1500
mtu Stateful_Fail_Link 1500
ip address outside xxx.xxx.46.2 255.255.255.0
ip address inside 192.100.140.21 255.255.255.0
ip address DMZ 172.255.255.1 255.255.255.0
no ip address intf3
no ip address intf4
ip address Stateful_Fail_Link 172.16.1.1 255.255.255.252
ip verify reverse-path interface outside
ip audit info action alarm
ip audit attack action alarm
failover
failover timeout 0:00:00
failover poll 15
failover replication http
failover ip address outside xxx.xxx.46.3
failover ip address inside 192.100.140.22
failover ip address DMZ 172.255.255.2
no failover ip address intf3
no failover ip address intf4
failover ip address Stateful_Fail_Link 172.16.1.2
failover link Stateful_Fail_Link
pdm location 80.160.91.5 255.255.255.255 outside
pdm location 80.160.91.13 255.255.255.255 outside
pdm location xxx.105.46.204 255.255.255.255 outside
pdm location xxx.xxx.46.184 255.255.255.255 outside
pdm location 160.100.100.0 255.255.255.0 inside
pdm location 161.100.100.0 255.255.255.0 inside
pdm location 162.100.100.0 255.255.255.0 inside
pdm location 164.100.100.0 255.255.255.0 inside
pdm location 165.100.100.0 255.255.255.0 inside
pdm location 166.100.100.0 255.255.255.0 inside
pdm location 167.100.100.0 255.255.255.0 inside
pdm location 168.100.100.0 255.255.255.0 inside
pdm location 172.20.0.0 255.255.0.0 inside
pdm location 172.80.0.0 255.255.0.0 inside
pdm location 172.85.0.0 255.255.0.0 inside
pdm location Swift_Park 255.255.0.0 inside
pdm location 172.121.0.0 255.255.0.0 inside
pdm location 172.221.0.0 255.255.0.0 inside
pdm location 173.20.0.0 255.255.0.0 inside
pdm location 179.100.100.0 255.255.255.0 inside
pdm location 179.100.110.0 255.255.255.0 inside
pdm location 179.100.0.0 255.255.0.0 inside
pdm location 180.80.0.0 255.255.0.0 inside
pdm location 181.20.0.0 255.255.0.0 inside
pdm location 182.100.100.0 255.255.255.0 inside
pdm location 183.100.100.0 255.255.255.0 inside
pdm location 184.100.100.0 255.255.255.0 inside
pdm location 186.100.100.0 255.255.255.0 inside
pdm location 187.100.100.0 255.255.255.0 inside
pdm location 188.100.100.0 255.255.255.0 inside
pdm location 190.100.100.0 255.255.255.0 inside
pdm location 191.100.0.0 255.255.0.0 inside
pdm location NTS_EARLS_RD 255.255.255.255 inside
pdm location n-warks_Sun_OS 255.255.255.255 inside
pdm location 192.100.100.206 255.255.255.255 inside
pdm location 192.100.100.0 255.255.255.0 inside
pdm location 192.100.101.0 255.255.255.0 inside
pdm location 192.100.102.0 255.255.255.0 inside
pdm location 192.100.103.0 255.255.255.0 inside
pdm location 192.100.104.0 255.255.255.0 inside
pdm location ESTATES 255.255.255.255 inside
pdm location 192.100.105.0 255.255.255.0 inside
pdm location 192.100.110.0 255.255.255.0 inside
pdm location 192.100.130.0 255.255.255.0 inside
pdm location Paul_Gordon_Int 255.255.255.255 inside
pdm location HPOV 255.255.255.255 inside
pdm location Content_Keeper_Int 255.255.255.255 inside
pdm location ESMTPRELAY 255.255.255.255 inside
pdm location TOTALCARE 255.255.255.255 inside
pdm location NWREP 255.255.255.255 inside
pdm location Proxy 255.255.255.255 inside
pdm location NWPCTEXCH01 255.255.255.255 inside
pdm location WEBMAIL 255.255.255.255 inside
pdm location ESMTPRELAY_Virtual 255.255.255.255 inside
pdm location TRUST 255.255.255.255 inside
pdm location NEW-SQL-SERVER 255.255.255.255 inside
pdm location 192.100.140.42 255.255.255.255 inside
pdm location BARACUDA 255.255.255.255 inside
pdm location 192.100.140.100 255.255.255.255 inside
pdm location 192.100.140.241 255.255.255.255 inside
pdm location warwick_SUN_OS 255.255.255.255 inside
pdm location 192.100.140.251 255.255.255.255 inside
pdm location 192.100.140.240 255.255.255.240 inside
pdm location 192.100.150.0 255.255.255.0 inside
pdm location 192.100.160.0 255.255.255.0 inside
pdm location Mike_Graveney_Int 255.255.255.255 inside
pdm location 192.100.180.0 255.255.255.0 inside
pdm location 192.100.210.0 255.255.255.0 inside
pdm location 192.101.160.0 255.255.255.0 inside
pdm location 192.101.0.0 255.255.0.0 inside
pdm location 192.110.100.0 255.255.252.0 inside
pdm location 192.110.104.0 255.255.254.0 inside
pdm location 192.119.101.0 255.255.255.0 inside
pdm location 192.120.101.0 255.255.255.0 inside
pdm location TERMSERV1 255.255.255.255 inside
pdm location KeyIT_Server_Int 255.255.255.255 inside
pdm location FINANCE-ECALCS 255.255.255.255 inside
pdm location 192.168.1.53 255.255.255.255 inside
pdm location IT_Department 255.255.255.240 inside
pdm location New_Docs_Rep1_Int 255.255.255.255 inside
pdm location New_Docs_Rep2_Int 255.255.255.255 inside
pdm location New_Docs_Map_Int 255.255.255.255 inside
pdm location New_Docs_Triage1_Int 255.255.255.255 inside
pdm location New_Docs_Triage2_Int 255.255.255.255 inside
pdm location New_Docs_Triage3_Int 255.255.255.255 inside
pdm location New_Docs_Consult1_Int 255.255.255.255 inside
pdm location New_Docs_Consult2_Int 255.255.255.255 inside
pdm location New_Docs_Consult3_Int 255.255.255.255 inside
pdm location New_Docs_Consult4_Int 255.255.255.255 inside
pdm location New_Docs_Consult5_Int 255.255.255.255 inside
pdm location New_Docs_VoiceRec_Int 255.255.255.255 inside
pdm location New_Docs_LaserPrint_Int 255.255.255.255 inside
pdm location New_Docs_Old1_Int 255.255.255.255 inside
pdm location New_Docs_Old2_Int 255.255.255.255 inside
pdm location 192.168.42.0 255.255.255.0 inside
pdm location 192.168.43.0 255.255.255.0 inside
pdm location 192.168.50.0 255.255.254.0 inside
pdm location 192.168.0.0 255.255.0.0 inside
pdm location 192.198.10.0 255.255.255.0 inside
pdm location 192.200.200.0 255.255.255.0 inside
pdm location 193.110.100.0 255.255.252.0 inside
pdm location 193.110.104.0 255.255.255.0 inside
pdm location xxx.xxx.46.184 255.255.255.255 inside
pdm location 196.100.100.0 255.255.255.0 inside
pdm location 196.100.110.0 255.255.255.0 inside
pdm location 10.129.113.2 255.255.255.255 outside
pdm location 10.129.113.3 255.255.255.255 outside
pdm location 10.129.113.8 255.255.255.255 outside
pdm location 10.129.113.9 255.255.255.255 outside
pdm location 10.184.13.0 255.255.255.0 outside
pdm location 62.130.104.40 255.255.255.255 outside
pdm location 62.130.104.66 255.255.255.255 outside
pdm location 159.170.59.36 255.255.255.255 outside
pdm location 159.170.107.0 255.255.255.0 outside
pdm location 159.170.139.0 255.255.255.0 outside
pdm location 159.170.136.0 255.255.252.0 outside
pdm location 159.170.175.0 255.255.255.0 outside
pdm location DR_Street_Surgery 255.255.255.224 outside
pdm location 172.18.129.32 255.255.255.224 outside
pdm location 172.21.32.96 255.255.255.224 outside
pdm location 172.24.226.0 255.255.255.224 outside
pdm location NHS_X400 255.255.255.255 outside
pdm location SMTP_Relay 255.255.255.255 outside
pdm location McKesson_Acc_BirmCH 255.255.255.255 outside
pdm location Westgate_Hse_DataWarehouse 255.255.255.255 outside
pdm location xxx.101.246.0 255.255.255.0 outside
pdm location xxx.189.101.10 255.255.255.255 outside
pdm location xxx.189.101.85 255.255.255.255 outside
pdm location xxx.189.104.20 255.255.255.255 outside
pdm location Westgate_Hse_Exeter_ICM 255.255.255.255 outside
pdm location Westgate_Hse_Mconnect 255.255.255.255 outside
pdm location xxx.189.122.144 255.255.255.240 outside
pdm location HBOC 255.255.255.255 outside
pdm location xxx.216.97.222 255.255.255.255 outside
pdm location xxx.227.65.1 255.255.255.255 outside
pdm location xxx.xxx.155.96 255.255.255.255 outside
pdm location xxx.xxx.155.97 255.255.255.255 outside
pdm location xxx.xxx.155.98 255.255.255.255 outside
pdm location xxx.xxx.155.99 255.255.255.255 outside
pdm location Protechnic 255.255.255.255 outside
pdm location GEH_AdAstra 255.255.255.0 inside
pdm location GEH_New 255.255.255.0 inside
pdm location New_Docs_Rep1_ext 255.255.255.255 outside
pdm location New_Docs_Rep2_ext 255.255.255.255 outside
pdm location New_Docs_Triage1_ext 255.255.255.255 outside
pdm location New_Docs_Triage2_ext 255.255.255.255 outside
pdm location New_Docs_Triage3_ext 255.255.255.255 outside
pdm location New_Docs_Consult1_ext 255.255.255.255 outside
pdm location New_Docs_Consult2_ext 255.255.255.255 outside
pdm location New_Docs_Consult3_ext 255.255.255.255 outside
pdm location New_Docs_Consult4_ext 255.255.255.255 outside
pdm location New_Docs_Consult5_ext 255.255.255.255 outside
pdm location New_Docs_VoiceRec_ext 255.255.255.255 outside
pdm location New_Docs_LaserPrint_ext 255.255.255.255 outside
pdm location Ad-Astra_Servers 255.255.255.224 outside
pdm location Exeter_Server 255.255.255.255 outside
pdm location MConnect_Server 255.255.255.255 outside
pdm location Paul_GORDON_ext 255.255.255.255 outside
pdm location Mike_Graveney_Ext 255.255.255.255 outside
pdm location IT_Department 255.255.255.255 inside
pdm location esrnhshub.mhapp.nhs.uk 255.255.255.255 outside
pdm location ESR_FTP_Ext 255.255.255.255 outside
pdm location ESR_FTP_Int 255.255.255.255 inside
pdm location 10.129.117.0 255.255.255.224 outside
pdm location 10.129.117.128 255.255.255.224 outside
pdm location 62.130.47.32 255.255.255.224 outside
pdm location 149.21.70.0 255.255.255.0 outside
pdm location 10.223.224.66 255.255.255.255 outside
pdm location nhs.net 255.255.255.0 outside
pdm location Cohort 255.255.255.255 inside
pdm location paymentservices.bacs.co.uk 255.255.255.255 outside
pdm location DTS_Server 255.255.255.255 outside
pdm location 172.255.255.0 255.255.255.0 DMZ
pdm location PBS 255.255.255.0 inside
pdm location Swift_Park 255.255.255.0 outside
pdm location Rugby_CNN 255.255.255.0 outside
pdm location xx.xxx.44.0 255.255.255.0 outside
pdm location Rugby_CNN 255.255.255.0 inside
pdm location Rugby_CNN_WAN 255.255.255.0 inside
pdm location Rugby_WAN 255.255.255.252 outside
pdm location Rugby_CNN 255.255.255.252 outside
pdm location Rugby_WAN 255.255.255.252 inside
pdm group nhs-relay_access_real inside
pdm group KeyIT_System_Internal_real inside
pdm group nhs-relay_access outside reference nhs-relay_access_real
pdm group KeyIT_System_External outside
pdm group KeyIT_System_Internal outside reference KeyIT_System_Internal_real
pdm group securedial_access outside
pdm group totalcare_access outside
pdm group NWPCTexchange_access outside
pdm group torex-finance-system outside
pdm group EDS_Connection outside
pdm group Ad-Astra_Internal inside
pdm group Ad-Astra_External outside
pdm group Ad-Astra_Internal_ref outside reference Ad-Astra_Internal
pdm group Exeter_Users inside
pdm group MConnect_Users inside
pdm group ESR_Outbound outside
pdm group ESR_Inbound outside
pdm logging warnings 100
pdm history enable
arp timeout 14400
global (outside) 1 xxx.xxx.46.4
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (DMZ) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) NWPCT_exchange NWPCTEXCH01 netmask 255.255.255.255 0 0
static (inside,outside) DNS_server NTS_EARLS_RD netmask 255.255.255.255 0 0
static (inside,outside) TotalCare_server TOTALCARE netmask 255.255.255.255 0 0
static (inside,outside) Mkeowns_Alpha 192.100.100.206 netmask 255.255.255.255 0 0
static (inside,outside) SeagateReport_server NWREP netmask 255.255.255.255 0 0
static (inside,outside) PHC_server n-warks_Sun_OS netmask 255.255.255.255 0 0
static (inside,outside) Intranet_server TRUST netmask 255.255.255.255 0 0
static (inside,outside) EBA_server ESTATES netmask 255.255.255.255 0 0
static (inside,outside) ITweb_server WEBMAIL netmask 255.255.255.255 0 0
static (inside,outside) Content_Keeper_Ex Content_Keeper_Int netmask 255.255.255.255 0 0
static (inside,outside) Robin_Turton 192.100.140.251 netmask 255.255.255.255 0 0
static (inside,outside) Paul_GORDON_ext Paul_Gordon_Int netmask 255.255.255.255 0 0
static (inside,outside) E500_Webshield ESMTPRELAY_Virtual netmask 255.255.255.255 0 0
static (inside,outside) Robbie_Sharma 192.100.140.241 netmask 255.255.255.255 0 0
static (inside,outside) rugbyPCT_exchange 192.100.140.42 netmask 255.255.255.255 0 0
static (inside,outside) New_Finance_Sun_System warwick_SUN_OS netmask 255.255.255.255 0 0
static (inside,outside) EDS_SQL_Server NEW-SQL-SERVER netmask 255.255.255.255 0 0
static (inside,outside) New_Docs_Rep1_ext New_Docs_Rep1_Int netmask 255.255.255.255 0 0
static (inside,outside) New_Docs_Rep2_ext New_Docs_Rep2_Int netmask 255.255.255.255 0 0
static (inside,outside) New_Docs_Triage1_ext New_Docs_Triage1_Int netmask 255.255.255.255 0 0
static (inside,outside) New_Docs_Triage3_ext New_Docs_Triage3_Int netmask 255.255.255.255 0 0
static (inside,outside) New_Docs_Consult1_ext New_Docs_Consult1_Int netmask 255.255.255.255 0 0
static (inside,outside) New_Docs_Consult2_ext New_Docs_Consult2_Int netmask 255.255.255.255 0 0
static (inside,outside) New_Docs_Consult3_ext New_Docs_Consult3_Int netmask 255.255.255.255 0 0
static (inside,outside) New_Docs_Consult4_ext New_Docs_Consult4_Int netmask 255.255.255.255 0 0
static (inside,outside) New_Docs_Consult5_ext New_Docs_Consult5_Int netmask 255.255.255.255 0 0
static (inside,outside) New_Docs_VoiceRec_ext New_Docs_VoiceRec_Int netmask 255.255.255.255 0 0
static (inside,outside) New_Docs_LaserPrint_ext New_Docs_LaserPrint_Int netmask 255.255.255.255 0 0
static (inside,outside) New_Docs_Map_ext New_Docs_Map_Int netmask 255.255.255.255 0 0
static (inside,outside) New_Docs_Triage2_ext New_Docs_Triage2_Int netmask 255.255.255.255 0 0
static (inside,outside) Caroline_Culligan 192.168.1.53 netmask 255.255.255.255 0 0
static (inside,outside) New_Docs_Old1_Ext New_Docs_Old1_Int netmask 255.255.255.255 0 0
static (inside,outside) New_Docs_Old2_Ext New_Docs_Old2_Int netmask 255.255.255.255 0 0
static (inside,outside) KeyIT_Server KeyIT_Server_Int netmask 255.255.255.255 0 0
static (inside,outside) IT_Network_ECALCs_Server FINANCE-ECALCS netmask 255.255.255.255 0 0
static (inside,outside) Terminal_server TERMSERV1 netmask 255.255.255.255 0 0
static (inside,outside) Esmtprelay BARACUDA netmask 255.255.255.255 0 0
static (inside,outside) xxx.xxx.46.105 ESMTPRELAY netmask 255.255.255.255 0 0
static (inside,outside) Mike_Graveney_Ext Mike_Graveney_Int netmask 255.255.255.255 0 0
static (inside,outside) ESR_FTP_Ext ESR_FTP_Int netmask 255.255.255.255 0 0
static (inside,DMZ) 192.100.140.0 192.100.140.0 netmask 255.255.255.0 0 0
access-group outside_access_in in interface outside
access-group inside_access_out in interface inside
access-group dmz_int in interface DMZ
route outside 0.0.0.0 0.0.0.0 xxx.xxx.46.1 1
route inside 160.100.100.0 255.255.255.0 192.100.140.1 1
route inside 161.100.100.0 255.255.255.0 192.100.140.1 1
route inside 162.100.100.0 255.255.255.0 192.100.140.1 1
route inside 164.100.100.0 255.255.255.0 192.100.140.1 1
route inside 165.100.100.0 255.255.255.0 192.100.140.1 1
route inside 166.100.100.0 255.255.255.0 192.100.140.1 1
route inside 167.100.100.0 255.255.255.0 192.100.140.1 1
route inside 168.100.100.0 255.255.255.0 192.100.140.1 1
route inside 172.20.0.0 255.255.0.0 192.100.140.1 1
route inside 172.80.0.0 255.255.0.0 192.100.140.1 1
route inside 172.85.0.0 255.255.0.0 192.100.140.1 1
route inside 172.221.0.0 255.255.0.0 192.100.140.1 1
route inside 173.20.0.0 255.255.0.0 192.100.140.1 1
route inside 179.100.0.0 255.255.0.0 192.100.140.1 1
route inside 179.100.100.0 255.255.255.0 192.100.140.1 1
route inside 179.100.110.0 255.255.255.0 192.100.140.1 1
route inside 180.80.0.0 255.255.0.0 192.100.140.1 1
route inside 181.20.0.0 255.255.0.0 192.100.140.1 1
route inside 182.100.100.0 255.255.255.0 192.100.140.1 1
route inside 183.100.100.0 255.255.255.0 192.100.140.1 1
route inside 184.100.100.0 255.255.255.0 192.100.140.1 1
route inside 186.100.100.0 255.255.255.0 192.100.140.1 1
route inside 187.100.100.0 255.255.255.0 192.100.140.1 1
route inside 188.100.100.0 255.255.255.0 192.100.140.1 1
route inside 190.100.100.0 255.255.255.0 192.100.140.1 1
route inside 191.100.0.0 255.255.0.0 192.100.140.1 1
route inside 192.100.100.0 255.255.255.0 192.100.140.1 1
route inside 192.100.101.0 255.255.255.0 192.100.140.1 1
route inside 192.100.102.0 255.255.255.0 192.100.140.1 1
route inside 192.100.103.0 255.255.255.0 192.100.140.1 1
route inside 192.100.104.0 255.255.255.0 192.100.140.1 1
route inside 192.100.105.0 255.255.255.0 192.100.140.1 1
route inside 192.100.110.0 255.255.255.0 192.100.140.1 1
route inside 192.100.130.0 255.255.255.0 192.100.140.1 1
route inside 192.100.150.0 255.255.255.0 192.100.140.1 1
route inside 192.100.160.0 255.255.255.0 192.100.140.1 1
route inside 192.100.180.0 255.255.255.0 192.100.140.1 1
route inside 192.100.210.0 255.255.255.0 192.100.140.1 1
route inside 192.101.0.0 255.255.0.0 192.100.140.1 1
route inside 192.101.160.0 255.255.255.0 192.100.140.1 1
route inside 192.110.100.0 255.255.252.0 192.100.140.1 1
route inside 192.110.104.0 255.255.254.0 192.100.140.1 1
route inside 192.119.101.0 255.255.255.0 192.100.140.1 1
route inside 192.120.101.0 255.255.255.0 192.100.140.1 1
route inside 192.168.0.0 255.255.0.0 192.100.140.1 1
route inside PBS 255.255.255.0 192.100.140.1 1
route inside 192.168.42.0 255.255.255.0 192.100.140.1 1
route inside 192.168.43.0 255.255.255.0 192.100.140.1 1
route inside 192.168.50.0 255.255.254.0 192.100.140.1 1
route inside 192.198.10.0 255.255.255.0 192.100.140.1 1
route inside 192.200.200.0 255.255.255.0 192.100.140.1 1
route inside 193.110.100.0 255.255.252.0 192.100.140.1 1
route inside 193.110.104.0 255.255.255.0 192.100.140.1 1
route inside 196.100.100.0 255.255.255.0 192.100.140.1 1
route inside 196.100.110.0 255.255.255.0 192.100.140.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa authentication enable console LOCAL
aaa authentication telnet console LOCAL
aaa authorization command LOCAL
ntp server 192.168.1.1 source inside prefer
http server enable
http HPOV 255.255.255.255 inside
http 192.100.140.100 255.255.255.255 inside
http 192.100.140.240 255.255.255.240 inside
http IT_Department 255.255.255.240 inside
snmp-server host inside HPOV poll
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps
tftp-server inside HPOV /firewall
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer xx.xxx.44.4
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address xx.xxx.44.4 netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
telnet 192.100.140.0 255.255.255.0 inside
telnet IT_Department 255.255.255.240 inside
telnet timeout 30
ssh timeout 5
console timeout 2
username admin password xxxxxxxxxxxxxxx encrypted privilege 15
username bios password xxxxxxxxxxxxxxx encrypted privilege 15
terminal width 80
Cryptochecksum:09d89814d61618dea58a2081d2fe555b
: end
[OK]


Remote Site Config:

Building configuration...
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxxxx encrypted
hostname swiftpix
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.100.140.0 PBS2
name 192.168.1.0 PBS
name 192.168.53.0 Rugby_CNN
name 172.120.0.0 Swift_Park
name 192.168.200.60 Rugby_WAN
access-list inside_outbound_nat0_acl permit ip Swift_Park 255.255.255.0 PBS2 255.255.255.0
access-list inside_outbound_nat0_acl permit ip Swift_Park 255.255.255.0 PBS 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 192.168.200.0 255.255.255.0 PBS 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 192.168.200.0 255.255.255.0 PBS2 255.255.255.0
access-list inside_outbound_nat0_acl permit ip Rugby_CNN 255.255.255.0 PBS 255.255.255.0
access-list inside_outbound_nat0_acl permit ip Rugby_CNN 255.255.255.0 PBS2 255.255.255.0
access-list outside_cryptomap_20 permit ip Swift_Park 255.255.255.0 PBS2 255.255.255.0
access-list outside_cryptomap_20 permit ip Swift_Park 255.255.255.0 PBS 255.255.255.0
access-list outside_cryptomap_20 permit ip Rugby_WAN 255.255.255.252 PBS 255.255.255.0
access-list outside_cryptomap_20 permit ip Rugby_WAN 255.255.255.252 PBS2 255.255.255.0
access-list outside_cryptomap_20 permit ip Rugby_CNN 255.255.255.0 PBS 255.255.255.0
access-list outside_cryptomap_20 permit ip Rugby_CNN 255.255.255.0 PBS2 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside xx.xxx.44.4 255.255.255.240
ip address inside 172.120.0.11 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location Rugby_CNN 255.255.255.0 inside
pdm location PBS2 255.255.255.0 outside
pdm location PBS 255.255.255.255 outside
pdm location PBS 255.255.255.0 outside
pdm location xxx.xxx.46.0 255.255.255.0 outside
pdm location PBS 255.255.255.0 inside
pdm location Rugby_WAN 255.255.255.252 inside
pdm location 192.168.200.0 255.255.255.0 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 192.100.140.1 1
route inside Rugby_CNN 255.255.255.0 172.120.0.10 1
route inside Rugby_WAN 255.255.255.252 172.120.0.10 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer xxx.xxx.46.2
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address xxx.xxx.46.2 netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh timeout 5
management-access inside
console timeout 0
terminal width 80
Cryptochecksum:d9ee23dcd6e49f4a1cb234cd6f9019a5
: end
[OK]
0
 

Author Comment

by:PJRimmer
ID: 17137238
Spotted a couple of mismatches with subnet masks on the VPN tunnel config, I have corrected these and still have the same problems.
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17138160
See this line;

>>crypto map outside_map 20 match address outside_cryptomap_20

The vpn will be enabled only for the networks defined in the access-list 'outside_cryptomap_20'

and so you have enabled vpn only for;

access-list outside_cryptomap_20 permit ip PBS 255.255.255.0 Swift_Park 255.255.255.0
access-list outside_cryptomap_20 permit ip 192.100.140.0 255.255.255.0 Swift_Park 255.255.255.0
access-list outside_cryptomap_20 permit ip PBS 255.255.255.0 Rugby_WAN 255.255.255.252
access-list outside_cryptomap_20 permit ip 192.100.140.0 255.255.255.0 Rugby_WAN 255.255.255.252
access-list outside_cryptomap_20 permit ip PBS 255.255.255.0 Rugby_CNN 255.255.255.252
access-list outside_cryptomap_20 permit ip 192.100.140.0 255.255.255.0 Rugby_CNN 255.255.255.0

ONLY for the networks mentioned above, which are 192.100.140.x alone.

Say if you want to allow 188.100.100.x network to traverse through the VPN,you need to add that to this access-list as well;

So;

access-list outside_cryptomap_20 permit ip 188.100.100.0 255.255.255.0 Rugby_CNN 255.255.255.0

and also to avoid natting add an entry for 'nonat';

access-list inside_outbound_nat0_acl permit ip 188.100.100.0 255.255.255.0 Swift_Park 255.255.255.0

Got an idea now ? So if you want to add all the internal network to the vpn group, you'll have to add all those like above into both the access-lists. You need to do the same on the remote pix as well.

Cheers,
Rajesh

0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17138178
a Slight modification on the second access-list;

access-list inside_outbound_nat0_acl permit ip 188.100.100.0 255.255.255.0 Rugby_CNN 255.255.255.0

This should give you a fair amount of idea on how VPN works. Let me know if you have problems understanding it.

as a first step, configure on both pix's for one network. (Net A on PIX 1 and Net B on PIX2) . After the configurations are done, then you'll be able to access NETA and NETB through vpn.

Cheers,
Rajesh
0
 

Author Comment

by:PJRimmer
ID: 17138266
Thanks for that!

Can I use "any any" to define the interesting VPN traffic in the access-lists, instead of listing all of our internal networks individually?

i.e.

access-list outside_cryptomap_20 permit ip any any Rugby_CNN 255.255.255.0
and
access-list inside_outbound_nat0_acl permit ip any any Rugby_CNN 255.255.255.0
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17138315
That would be a problem. Imagine the situation where in an internal machine wants to talk to www.yahoo.com. This request will match the access-list you defined right ? So the pix will try to VPN it which obviously wouldn't work.

Second problem. The 'inside_outbound_nat0_acl' will also match this traffic and won't do NAT, so the traffic coming from private ip ranges will not be natted and thus won't reach internet.

I'm sorry about this but these are just machines, we can't really do anything about it. On the other side, it is very easy to add the access-lists, just copy the whole configuration to a notepad and add it there. Do a copy & paste for all the networks you need, then you only need to change the ip address part correct ?

Cheers,
Rajesh
0
 

Author Comment

by:PJRimmer
ID: 17138346
OK no probs, I can see that now!

However, even with the config I posted I can't acces the 'Rugby_CNN' network from the 192.100.140.0 network.

Any ideas, and sorry to be a pain!
0
 
LVL 32

Accepted Solution

by:
rsivanandan earned 500 total points
ID: 17138443
I believe it is because of this;

>>route inside 192.168.0.0 255.255.0.0 192.100.140.1 1

Cheers,
Rajesh
0
 

Author Comment

by:PJRimmer
ID: 17138695
Indeed it is, I removed the route and it sprang into life!

Thanks very much for all your help on this, I am off to write some very long routing tables and access-lists!

Thanks again,
Paul.
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17139346
I knew it :-) It was troubling me from the very first, see the post 07/18/2006 08:14AM PDT


Happy networking :-)

Cheers,
Rajesh
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

We recently endured a series of broadcast storms that caused our ISP to shut us down for brief periods of time. After going through a multitude of tests, we determined that the issue was related to Intel NIC drivers on some new HP desktop computers …
Don’t let your business fall victim to the coming apocalypse – use our Survival Guide for the Fax Apocalypse to identify the risks and signs of zombie fax activities at your business.
Viewers will learn how to properly install and use Secure Shell (SSH) to work on projects or homework remotely. Download Secure Shell: Follow basic installation instructions: Open Secure Shell and use "Quick Connect" to enter credentials includi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now