Solved

Pix to Pix Tunnel with VPN Access

Posted on 2006-11-01
6
548 Views
Last Modified: 2013-11-16
I know this question has been asked in several forms, and been answered most times also.  But my question concerns setting up a site to site vpn with 2 pix 506e's and a third pix 506e at the main site to serve as a vpn headend.  I want the vpn users to be able to access both sides of the tunnel.  I have a working tunnel setup, and clients can talk across the tunnel fine.  I also have the third pix setup with vpn access at the main site and that works, but i cant get the pix to allow the outside vpn traffic to access the far end of the tunnel.  I know the previous questions were about 2 pixes and that the packets cant come in and back out the same interface, but that isnt the case with this setup.  I had a similar setup working about a year ago with 2 netgear firewalls and a tunnel, and the pix allowing the vpn clients access to both sides of the tunnel.  I set the vpn pix up the same (i think) way, and cant get it to work any more.  Below are the nearend tunnel config, and the vpnheadend config.  Thanks for the help.

PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname nearend
domain-name test.local
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.102.0 TunnelNear
name 192.168.103.0 TunnelFar
access-list inside_outbound_nat0_acl permit ip TunnelNear 255.255.255.0 TunnelFar 255.255.255.0
access-list outside_cryptomap_20 permit ip TunnelNear 255.255.255.0 TunnelFar 255.255.255.0
access-list outside_access_in permit icmp TunnelFar 255.255.255.0 any
pager lines 24
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside 64.xxx.xxx.219 255.255.255.248
ip address inside 192.168.102.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location TunnelFar 255.255.255.0 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 64.xxx.xxx.217 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http TunnelNear 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 64.xxx.xxx.220
crypto map outside_map 20 set transform-set ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 64.xxx.xxx.220 netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 750
terminal width 80
: end

PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname vpnheadend
domain-name test.local
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.102.0 TunnelNear
name 192.168.103.0 TunnelFar
access-list inside_outbound_nat0_acl permit ip any 192.168.102.96 255.255.255.224
access-list outside_cryptomap_dyn_20 permit ip any 192.168.102.96 255.255.255.224
pager lines 24
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside 64.xxx.xxx.218 255.255.255.248
ip address inside 192.168.102.2 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool newpool 192.168.102.100-192.168.102.125
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 64.xxx.xxx.217 1
route inside FarEnd 255.255.255.0 192.168.102.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http TunnelNear 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup thermo address-pool newpool
vpngroup thermo dns-server 192.168.102.10
vpngroup thermo wins-server 192.168.102.10
vpngroup thermo idle-time 1800
vpngroup thermo password ********
telnet TunnelNear 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
: end
0
Comment
Question by:Thermo1
  • 3
  • 3
6 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 17853594
VPN headend:
>ip address inside 192.168.102.2 255.255.255.0
>ip local pool newpool 192.168.102.100-192.168.102.125

Make the client pool a different subnet than your internal network, say 192.168.101.x
 access-list nonat permit ip 192.168.102.0 255.255.255.0 192.168.101.0 255.255.255.0
 access-list nonat permit ip 192.168.103.0 255.255.255.0 192.168.101.0 255.255.255.0
 access-list split_tunnel permit ip 192.168.102.0 255.255.255.0 192.168.101.0 255.255.255.0
 access-list split_tunnel permit ip 192.168.103.0 255.255.255.0 192.168.101.0 255.255.255.0
nat (inside) 0 access-list nonat
vpngroup thermo split-tunnel split_tunnel
 
Add a route to this subnet on the nearend:
  route inside 192.168.101.0 255.255.255.0 192.168.102.2
Include the subnet in the nonat and vpn match acl
 access-list inside_outbound_nat0_acl permit ip TunnelNear 255.255.255.0 TunnelFar 255.255.255.0
 access-list inside_outbound_nat0_acl permit ip 192.168.101.0 255.255.255.0 TunnelFar 255.255.255.0
 access-list outside_cryptomap_20 permit ip TunnelNear 255.255.255.0 TunnelFar 255.255.255.0
 access-list outside_cryptomap_20 permit ip 192.168.101.0 255.255.255.0 TunnelFar 255.255.255.0

On FARSIDE, make a mirror image for nonat acl and crypto match acl that includes both TunnelNear subnet and 192.168.101.0 VPN users

 




0
 
LVL 1

Author Comment

by:Thermo1
ID: 17858007
Ive tried something similar before, but whenever I make the vpn pool a different subnet from the inside interface, the client wont decrypt any packets, and i get no access to the local lan.  Below is VPNHEADEND with the changes.

VPNHEADEND:

Building configuration...
: Saved
:
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname vpnheadend
domain-name test.local
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.102.0 TunnelNear
name 192.168.103.0 TunnelFar
access-list nonat permit ip TunnelNear 255.255.255.0 192.168.104.0 255.255.255.0
access-list nonat permit ip TunnelFar 255.255.255.0 192.168.104.0 255.255.255.0
access-list outside_cryptomap_dyn_20 permit ip any 192.168.104.96 255.255.255.224
access-list split_tunnel permit ip TunnelNear 255.255.255.0 192.168.104.0 255.255.255.0
access-list split_tunnel permit ip TunnelFar 255.255.255.0 192.168.104.0 255.255.255.0
pager lines 24
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside 64.xxx.xxx.218 255.255.255.248
ip address inside 192.168.102.2 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool newpool 192.168.104.100-192.168.104.125
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 64.221.238.217 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http TunnelNear 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup thermo address-pool newpool
vpngroup thermo dns-server 192.168.102.10
vpngroup thermo split-tunnel split_tunnel
vpngroup thermo idle-time 1800
vpngroup thermo password ********
telnet TunnelNear 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
: end


0
 
LVL 79

Expert Comment

by:lrmoore
ID: 17862587
You're missing a route inside command
   route inside 192.168.101.0 255.255.255.0 192.168.102.2

You will also have another problem with routing inside.
If the current default gateway for all local LAN users is the PIX, then it *will not* redirect traffic back to the vpnheadend pix for traffic going to the vpn client subnet.. This is a huge problem with this configuration. You almost have to have another router on a stick on the inside lan just to be the default gateway and redirect packets to the appropriate PIX.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 1

Author Comment

by:Thermo1
ID: 17863768
Are you saying if the vpnheadend pix is the gateway to the internet, or the nearend/farend tunnel pix's are the gateway to the internet, or any situation I will have this problem.  I 99% sure I had a similar configuration working with two netgear fvs318's as the tunnel and gateway, and the pix on the side as a vpn access to both sides of the tunnel.
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 250 total points
ID: 17863780
Yes, that's what I'm saying. PIX is not a Netgear and does not behave the same way.
0
 
LVL 1

Author Comment

by:Thermo1
ID: 17864052
Thankyou much, that will have to be my temporary solution for now.
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Cisco Pix/ASA hairpinning The term, hairpinning, comes from the fact that the traffic comes from one source into a router or similar device, makes a U-turn, and goes back the same way it came. Visualize this and you will see something that looks …
From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now