Solved

LAN to LAN VPN and remote client VPN

Posted on 2006-11-27
30
446 Views
Last Modified: 2013-11-16
Question form a newbie. I have successfully set up a LAN to LAN VPN on my PIX 520. I would like to add remote VPN client access (using Cisco VPN Client 4.6). My question is would this interfere with the LAN to LAN VPN??
0
Comment
Question by:rbrindisi
  • 16
  • 13
30 Comments
 
LVL 20

Expert Comment

by:calvinetter
ID: 18022115
Nope.  Client VPN & site-to-site VPN coexist just fine on a PIX.  There's some examples on Cisco's website, or search EE for existing examples.
     Cisco's IPSec/VPN config examples:
  http://www.cisco.com/en/US/tech/tk583/tk372/tech_configuration_examples_list.html

If you still need help after reviewing the either of the above, please post your complete but "sanitized" PIX config (passwords removed, public IPs masked out like so: x.x.23.44).

cheers
0
 
LVL 16

Expert Comment

by:The_Kirschi
ID: 18022974
Well LAN-LAN VPN and client VPN can be configured on the same PIX without problems, but when you are connected with your VPN client you can only access the local LAN directly connected to the PIX. You will not be able to access data that is on the other side of a LAN-LAN VPN with your VPN client connection.
0
 

Author Comment

by:rbrindisi
ID: 18028144
How does this look?

isakmp enable outside
isakmp policy 3 encr 3des
isakmp policy 3 hash md5
isakmp policy 3 authentication pre-share
isakmp key ********  address 0.0.0.0 netmask 0.0.0.0

ip local pool mypool 192.168.x.x-192.168.y.y

access-list 103 permit ip 192.168.x.x 255.255.0.0 192.168.y.y 255.255.0.0
nat (inside) 0 access-list 103

crypto ipsec transform-set strong-des esp-3des esp-sha-hmac
crypto dynamic-map mymap 2 set transform-set strong-des
crypto map partner-map 20 ipsec-isakmp dynamic mymap
crypto map partner-map interface outside

vpngroup myvpn adress-pool mypool
vpngroup myvpn dns-server 192.168.xxx.xxx
vpngroup myvpn wins-server 192.168.xxx.xxx
vpngroup myvpn split-tunnel 103
vpngroup myvpn  idle-time 1800

sysopt connection permit-ipsec
0
 
LVL 16

Expert Comment

by:The_Kirschi
ID: 18028258
I think it looks quite good but instead of

isakmp key ********  address 0.0.0.0 netmask 0.0.0.0

you should configure the password at the vpngroup:

vpngroup myvpn password ********
0
 
LVL 16

Expert Comment

by:The_Kirschi
ID: 18028340
Also complete isakmp policy with the following statements:

isakmp policy 3 group 2
isakmp policy 3 lifetime 86400

0
 

Author Comment

by:rbrindisi
ID: 18030330

Can you tell me why I get  this error when I try to create access -list 103

Source address,mask <192.168.0.254,255.255.255.0> doesn't pair

access-list 103 permit ip 192.168.0.0 255.255.255.0 192.168.0.254 255.255.255.0

Thanks for all your help
0
 
LVL 16

Expert Comment

by:The_Kirschi
ID: 18030510
This is because 192.168.0.254 is a single host but 255.255.255.0 is a network mask. You have to use the host keyword.
0
 

Author Comment

by:rbrindisi
ID: 18030712

Would this be OK?

access-list 103 permit ip host 192.168.0.0 host 192.168.0.254
0
 
LVL 16

Expert Comment

by:The_Kirschi
ID: 18035158
This is not ok no. It must look like this:

access-list 103 permit ip <network-ip> <netmask> host <host-ip>

But I guess you want all access to all vpn hosts (not only one) and also not to nat these.

So actually the access-list should look like this in your case:

access-list 103 permit ip <internal network-ip range> <netmask> <vpnpool ip-range><netmask>
0
 

Author Comment

by:rbrindisi
ID: 18040826
I successfully created a VPN connection using Cisco’s VPN 4.6 client. However, I am unable to ping the server or access any network shares. I ran the “show crypto ipsec sa” and “show crypto isakmp sa” and all look OK.  Any ideas?

Thanks for all your help
0
 
LVL 16

Expert Comment

by:The_Kirschi
ID: 18040899
What are the ip address ranges for internal network and vpn (mypool) ?
Could it be they overlap? What ip do you get on the vpn client (ipconfig /all) ?
Did try to ping with ip instead of server name?
0
 

Author Comment

by:rbrindisi
ID: 18045147

Internal network range 192.168.0.1 - 192.168.0.254 255.255.255.0
VPN pool 192.168.0.239 - 192.168.0.249 (overlap??)
IPconfig/all on client gives me the 1st IP in the pool 192.168.0.239, the internal DNS and WINS server IP, but NO default gateway.
Unable to ping IP or server name

Thanks
0
 
LVL 16

Expert Comment

by:The_Kirschi
ID: 18045186
Yes they overlap, because VPNPool is part of the internal ip range.

Set the VPN pool to something else than the internal address range. For example 192.168.1.1 - 192.168.1.10.
0
 
LVL 16

Expert Comment

by:The_Kirschi
ID: 18045233
0
 

Author Comment

by:rbrindisi
ID: 18045720
Still no good. Can't ping IP or server. The IPconfig/all is the same as above. I did check my syslog when I performed the ping and saw this error:

11-30-2006 09:51:43
Local4.Error 192.168.0.1 %PIX-3-305005: No translation group found for icmp src outside:192.168.1.1 dst inside:192.168.0.9 (type 8, code 0)

0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 
LVL 16

Expert Comment

by:The_Kirschi
ID: 18045906
Exact your problem. It is related to NAT:

http://www.velocityreviews.com/forums/t296233-nat-translation.html

Did you change the access-list to fit the new VPN pool addresses? Do not ping the internal interface of the PIX through VPN. That does not work. Try ping a server or PC instead.


What do you think about upgrading the points a bit for all the answers? (I hope not to be impolite)
0
 

Author Comment

by:rbrindisi
ID: 18046344

I would be more than happy to upgrade the points. You have been both patient and very helpful.

Do you think the nating problem is preventing the client from receiving the proper default gateway?
0
 
LVL 16

Expert Comment

by:The_Kirschi
ID: 18046402
No, I don't think the gateway is a problem but the nat seems to be. Normally you don't get any gateway address on the vpn client other than the ip address that is assigned to the client from the vpn ip pool.
0
 

Author Comment

by:rbrindisi
ID: 18049004

I seem to be hitting a brick wall!! I revised my configuration as suggested above but I’m still unable to connect.
If possible please review the attached configuration below, I'm sure I'm doing something dumb!!!

PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd JEP3QpG8x0VOcc7x encrypted
hostname TTCPIX
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 100 permit icmp any any
access-list 100 permit tcp any host 72.x.x.x eq pop3
access-list 100 permit tcp any host 72.x.x.x eq smtp
access-list 101 permit ip host 72.x.x.x 10.x.x.x.x 255.255.0.0
access-list 101 permit ip host 72.x.x.x host 172.x.x.x
access-list 101 permit ip host 72.x.x.x host 10.x.x.x
access-list 102 permit ip host 72.x.x.x host 192.168.0.11
access-list 103 permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0
pager lines 24
logging on
logging timestamp
logging buffered debugging
logging trap informational
logging host inside 192.168.0.20
mtu outside 1500
mtu inside 1500
ip address outside 72.x.x.x 255.255.255.x
ip address inside 192.168.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool mypool 192.168.1.1-192.168.1.10
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
pdm history enable
arp timeout 14400
global (outside) 1 72.x.x.x
nat (inside) 0 access-list 101
nat (inside) 2 access-list 103 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 72.x.x.x 192.168.0.1 netmask 255.255.255.255 0 0
static (inside,outside) 72.x.x.x 192.168.0.11 netmask 255.255.255.255 0 0
access-group 102 in interface outside
route outside 0.0.0.0 0.0.0.0 72.x.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
no floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set chevelle esp-3des esp-sha-hmac
crypto ipsec transform-set strong-des esp-3des esp-sha-hmac
crypto dynamic-map mymap 2 set transform-set strong-des
crypto map transam 1 ipsec-isakmp
crypto map transam 1 match address 101
crypto map transam 1 set peer x.x.x.x
crypto map transam 1 set transform-set chevelle
crypto map partner-map 20 ipsec-isakmp dynamic mymap
crypto map partner-map interface outside
isakmp enable outside
isakmp key ******** address x.x.x.x netmask 255.255.255.255
isakmp identity address
isakmp policy 2 authentication pre-share
isakmp policy 2 encryption 3des
isakmp policy 2 hash sha
isakmp policy 2 group 2
isakmp policy 2 lifetime 3600
isakmp policy 3 authentication pre-share
isakmp policy 3 encryption 3des
isakmp policy 3 hash sha
isakmp policy 3 group 2
isakmp policy 3 lifetime 86400
vpngroup myvpn address-pool mypool
vpngroup myvpn dns-server 192.168.0.9
vpngroup myvpn wins-server 192.168.0.9
vpngroup myvpn split-tunnel 103
vpngroup myvpn idle-time 1800
vpngroup myvpn password ********
telnet timeout 30
ssh timeout 5
console timeout 0
terminal width 80
banner exec Unauthorized access will be PROSECUTED!
0
 
LVL 16

Accepted Solution

by:
The_Kirschi earned 250 total points
ID: 18049347
Try changing this

nat (inside) 0 access-list 101
nat (inside) 2 access-list 103 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0

to

nat (inside) 0 access-list 103
nat (inside) 2 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
0
 
LVL 16

Expert Comment

by:The_Kirschi
ID: 18049376
What are you configuring this for?

static (inside,outside) 72.x.x.x 192.168.0.1 netmask 255.255.255.255 0 0
static (inside,outside) 72.x.x.x 192.168.0.11 netmask 255.255.255.255 0 0
0
 
LVL 16

Expert Comment

by:The_Kirschi
ID: 18049408
What is the "nat (inside) 2 access-list 103 0 0" for?

I wont have any effect if you do not have a "global (outside) 2". Except for nat 0 there has always to be a corresponding global command to each nat command.
0
 

Author Comment

by:rbrindisi
ID: 18053201
The static (inside,outside) 72.x.x.x 192.168.0.1 netmask 255.255.255.255 0 0 was entered by someone who is no longer here, so I am unsure what its for.

The static (inside,outside) 72.x.x.x 192.168.0.11 netmask 255.255.255.255 0 0 I entered to enable a outside IP to route to an inside IP used for a LAN to LAN VPN.

I thought I needed the nat (inside) 2 access-list 103 0 0 to nat my remote VPN users.
0
 

Author Comment

by:rbrindisi
ID: 18053219

Also

The nat (inside) 0 access-list 101 is used for my LAN to LAN VPN which is running fine. If I change it  how would it be effected?

 
0
 
LVL 16

Expert Comment

by:The_Kirschi
ID: 18053230
you will keep the nat rules but change the order in which they are applied
0
 
LVL 16

Expert Comment

by:The_Kirschi
ID: 18053257
For security reasons you should not set

static (inside,outside) 72.x.x.x 192.168.0.11 netmask 255.255.255.255 0 0 (i am not sure if this will work at all)

but restrict to the ports that are needed, for example:

static (inside,outside) tcp 72.x.x.x https 192.168.0.11 https netmask 255.255.255.255 0 0
0
 

Author Comment

by:rbrindisi
ID: 18053328

I get this when I change the nat order:

TTCPIX(config)# nat (inside) 0 access-list 103
WARNING: access-list protocol or port will not be used
0
 
LVL 16

Expert Comment

by:The_Kirschi
ID: 18053366
i think you have to remove the old one first:

no nat (inside) 0
0
 

Author Comment

by:rbrindisi
ID: 18053402

Same

TTCPIX(config)# no nat (inside) 0
TTCPIX(config)# nat (inside) 0 access-list 103
WARNING: access-list protocol or port will not be used
0
 

Author Comment

by:rbrindisi
ID: 18084483
After a reboot for the PIX and some reconfiguration as per your recommendations my remote VPN client is up and running. Thanks for your help, and as promised I upped the points.

Bob
0

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Join & Write a Comment

To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now