Solved

Site to Site / Client VPN w/Pix & ASA - Same Subnet - Routing issues

Posted on 2007-11-13
2
411 Views
Last Modified: 2012-08-13
I have a client who is wanting to adjust their VPN settings.  The currently have a VPN site to site established and also a client VPN.  They use the same subnet at both locations and just use different parts of the IP.  When at either location they can get to both sides of the VPN but when someone uses a client into the ASA they can only access the ASA site and not the other site with the PIX.

They want to be able to get to both sides of the S2S VPN while using the client.  At this time chaning the IP address is not an option.

Also if any blatant cmd line errors pointed out would be appreciated.  Thanks.


Here is the PIX config:

pdx-pix# sh config
: Saved
: Written by enable_15 at 12:49:22.982 UTC Wed Nov 7 2007
PIX Version 6.3(5)
interface ethernet0 100full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password encrypted
passwd  encrypted
hostname
domain-name
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list No-Nat-Inside permit ip 172.16.200.128 255.255.255.128 172.16.200.0 255.255.255.128
access-list No-Nat-Inside permit ip 172.16.200.128 255.255.255.128 172.16.201.0 255.255.255.192
access-list No-Nat-Inside permit ip any 172.16.200.128 255.255.255.128
access-list No-Nat-Inside remark General Match
access-list Hermiston permit ip 172.16.200.128 255.255.255.128 172.16.200.0 255.255.255.128
access-list Hermiston permit ip 172.16.200.128 255.255.255.128 172.16.201.0 255.255.255.192
access-list Hermiston remark Match for Hermiston
access-list Hermiston permit ip 172.16.0.0 255.255.0.0 172.16.0.0 255.255.0.0
access-list Hermiston permit ip 172.16.0.0 255.255.0.0 any
access-list Hermiston permit ip 192.168.250.0 255.255.255.0 172.16.0.0 255.255.0.0
access-list outside_cryptomap_dyn_20 permit ip any 172.16.200.128 255.255.255.128
pager lines 24
logging on
logging timestamp
logging buffered informational
mtu outside 1500
mtu inside 1500
ip address outside xx.xx.206.121 255.255.255.248
ip address inside 172.16.200.129 255.255.255.128
ip audit info action alarm
ip audit attack action alarm
pdm location xx.xx.214.2 255.255.255.255 outside
pdm location 172.16.201.2 255.255.255.255 inside
pdm location 172.16.200.0 255.255.255.128 outside
pdm location 172.16.201.0 255.255.255.192 outside
pdm location xx.xx.214.0 255.255.255.224 outside
pdm location 172.16.200.128 255.255.255.128 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list No-Nat-Inside
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 xx.xx.xx.126 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http 172.16.200.128 255.255.255.128 inside
snmp-server host inside 172.16.201.2
snmp-server location Portland
snmp-server contact
snmp-server community tnx483z
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set Hermiston-set esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set Hermiston-set
crypto map newmap 10 ipsec-isakmp
crypto map newmap 10 match address Hermiston
crypto map newmap 10 set peer xx.xx.xx.18
crypto map newmap 10 set transform-set Hermiston-set
crypto map newmap 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map newmap interface outside
isakmp enable outside
isakmp key ******** address xx.xx.xx.18 netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
telnet 172.16.200.128 255.255.255.128 inside
telnet timeout 10
ssh xx.xx.xx.0 255.255.255.224 outside
ssh xx.xx.xx.120 255.255.255.248 outside
ssh xx.xx.xx.0 255.255.255.0 outside
ssh 172.16.200.128 255.255.255.128 inside
ssh timeout 30
console timeout 0
username  password  encrypted privilege 15
terminal width 80
banner motd #
Cryptochecksum:52406d921decdb8f81a4f13031014ad2
pdx-pix#

Here is the ASA:

office-fw# sh config
: Saved
: Written by enable_15 at 16:26:56.702 PST Wed Nov 7 2007
!
ASA Version 7.0(4)
!
hostname office-fw
enable password *********** encrypted
no names
name xx.xx.xx.38 Molokia-pix
name xx.xx.xx.51 WCVWiFi-pix
!
interface GigabitEthernet0/0
 description office-fw-outside.ezwireless.us (vlan 5)
 speed 1000
 duplex full
 nameif outside
 security-level 0
 ip address xx.xx.xx.18 255.255.255.224
!
interface GigabitEthernet0/1
 description office-fw-inside.ezwireless.us (trunk)
 speed 1000
 duplex full
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/1.14
 description office-inside.ezwireless.local (vlan 14)
 vlan 14
 nameif inside
 security-level 100
 ip address 172.16.200.1 255.255.255.128
!
interface GigabitEthernet0/2
 description office-dmz.ezwireless.local (vlan 16)
 speed 100
 duplex full
 nameif dmz
 security-level 50
 ip address 172.16.201.1 255.255.255.192
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 no ip address
 management-only
!
passwd **************** encrypted
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
access-list No-Nat extended permit ip 172.16.200.0 255.255.255.128 172.16.10.0 255.255.255.0
access-list No-Nat extended permit ip 172.16.200.0 255.255.255.128 192.168.250.192 255.255.255.192
access-list No-Nat extended permit ip 172.16.200.0 255.255.255.128 172.16.100.0 255.255.255.0
access-list No-Nat extended permit ip 172.16.201.0 255.255.255.192 172.16.10.0 255.255.255.0
access-list No-Nat extended permit ip 172.16.201.0 255.255.255.192 172.16.200.128 255.255.255.128
access-list No-Nat extended permit ip 172.16.201.0 255.255.255.192 172.16.100.0 255.255.255.0
access-list No-Nat extended permit ip 172.16.200.0 255.255.255.128 172.16.201.0 255.255.255.192
access-list No-Nat extended permit ip 172.19.0.0 255.255.255.0 172.16.100.0 255.255.255.0
access-list No-Nat extended permit ip 172.16.201.0 255.255.255.192 172.16.200.0 255.255.255.128
access-list No-Nat remark General Non-Nat ACL
access-list No-Nat extended permit ip 172.16.200.0 255.255.255.128 172.16.200.128 255.255.255.128
access-list No-Nat extended permit ip 172.16.200.0 255.255.255.0 172.16.10.0 255.255.255.0
access-list No-Nat extended permit ip 172.16.200.0 255.255.255.0 192.168.250.192 255.255.255.192
access-list No-Nat extended permit ip 172.16.200.0 255.255.255.0 172.16.100.0 255.255.255.0
access-list No-Nat extended permit ip 172.16.200.0 255.255.255.0 172.16.201.0 255.255.255.192
access-list No-Nat extended permit ip 172.16.200.0 255.255.255.0 172.16.200.128 255.255.255.128
access-list No-Nat extended permit ip 192.168.250.0 255.255.255.0 172.16.10.0 255.255.255.0
access-list No-Nat extended permit ip 192.168.250.0 255.255.255.0 192.168.250.192 255.255.255.192
access-list No-Nat extended permit ip 192.168.250.0 255.255.255.0 172.16.100.0 255.255.255.0
access-list No-Nat extended permit ip 192.168.250.0 255.255.255.0 172.16.201.0 255.255.255.192
access-list No-Nat extended permit ip 192.168.250.0 255.255.255.0 172.16.200.128 255.255.255.128
access-list No-Nat extended permit ip 172.16.200.128 255.255.255.128 any
access-list No-Nat extended permit ip 192.168.250.0 255.255.255.0 172.16.200.0 255.255.255.0
access-list No-Nat extended permit ip 192.168.250.0 255.255.255.0 any
access-list Molokia extended permit ip 172.16.200.0 255.255.255.128 172.16.10.0 255.255.255.0
access-list Molokia extended permit ip 172.16.201.0 255.255.255.192 172.16.10.0 255.255.255.0
access-list Molokia remark Molokia Site ACL
access-list split1 standard permit 172.16.200.0 255.255.255.128
access-list split1 remark VPN Client Split Group
access-list split1 standard permit 172.16.0.0 255.255.0.0
access-list split1 standard permit any
access-list WCVWiFi extended permit ip 172.16.200.0 255.255.255.128 172.16.100.0 255.255.255.0
access-list WCVWiFi extended permit ip 172.16.201.0 255.255.255.192 172.16.100.0 255.255.255.0
access-list WCVWiFi extended permit ip 172.19.0.0 255.255.255.0 172.16.100.0 255.255.255.0
access-list WCVWiFi remark WillowCreak Valley Site ACL
access-list ezWlocal extended permit tcp any host xx.xx.xx.13 eq www
access-list ezWlocal extended permit tcp any host xx.xx.xx.22 eq smtp
access-list ezWlocal extended permit tcp any host xx.xx.xx.22 eq https
access-list ezWlocal extended permit tcp any host xx.xx.xx.22 eq 993
access-list ezWlocal extended permit tcp any host xx.xx.xx.22 eq 995
access-list ezWlocal extended permit tcp any host xx.xx.xx.13 eq https
access-list PDX extended permit ip 172.16.200.0 255.255.255.128 172.16.200.128 255.255.255.128
access-list PDX extended permit ip 172.16.201.0 255.255.255.192 172.16.200.128 255.255.255.128
access-list PDX remark PDX-Office Site ACL
access-list PDX extended permit ip 192.168.250.0 255.255.255.0 any
access-list inside_cryptomap_12 extended permit ip 172.16.200.128 255.255.255.128 172.16.200.0 255.255.255.0
access-list inside_cryptomap_12 extended permit ip 172.16.0.0 255.255.0.0 172.16.0.0 255.255.0.0
pager lines 24
logging enable
logging buffered informational
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu management 1500
ip local pool ClientPool 192.168.250.193-192.168.250.254
no failover
icmp permit any unreachable outside
icmp permit any inside
icmp permit any echo-reply inside
asdm image disk0:/asdm504.bin
no asdm history enable
arp timeout 14400
global (outside) 1 xx.xx.xx.21
nat (inside) 0 access-list No-Nat
nat (inside) 1 172.16.200.0 255.255.255.128
nat (dmz) 0 access-list No-Nat
static (inside,outside) tcp xx.xx.xx.13 www 172.16.200.20 www netmask 255.255.255.255
static (inside,outside) tcp xx.xx.xx.22 smtp 172.16.200.4 smtp netmask 255.255.255.255
static (inside,outside) tcp xx.xx.xx.22 https 172.16.200.4 https netmask 255.255.255.255
static (inside,outside) tcp xx.xx.xx.13 https 172.16.200.20 https netmask 255.255.255.255
access-group ezWlocal in interface outside
route outside 0.0.0.0 0.0.0.0 216.110.214.1 1
route dmz 172.19.0.0 255.255.255.0 172.16.201.3 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy ezWireless internal
group-policy ezWireless attributes
 dns-server value 172.16.200.2
 vpn-idle-timeout 180
 vpn-session-timeout 180
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value split1
 webvpn
username ****** password ********* encrypted privilege 15
username *********** password ********* encrypted privilege 15
username ************* password ************* encrypted privilege 15
aaa authentication serial console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 172.16.0.0 255.255.0.0 management
snmp-server host dmz 172.16.201.2 community tnx483z version 2c
snmp-server host outside 216.110.214.12 community wireless version 2c
snmp-server location Hermiston
snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set Molokia-set esp-3des esp-md5-hmac
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto ipsec transform-set WCVWiFi-set esp-3des esp-md5-hmac
crypto ipsec transform-set PDX-set esp-3des esp-md5-hmac
crypto dynamic-map dynmap 90 set transform-set myset
crypto map newmap 10 match address Molokia
crypto map newmap 10 set peer xx.xx.xx.38
crypto map newmap 10 set transform-set Molokia-set
crypto map newmap 11 match address WCVWiFi
crypto map newmap 11 set peer xx.xx.xx.51
crypto map newmap 11 set transform-set WCVWiFi-set
crypto map newmap 12 match address PDX
crypto map newmap 12 set peer xx.xx.xx.121
crypto map newmap 12 set transform-set PDX-set
crypto map newmap 90 ipsec-isakmp dynamic dynmap
crypto map newmap interface outside
crypto map outside 12 match address inside_cryptomap_12
isakmp identity address
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400
tunnel-group DefaultRAGroup general-attributes
 authentication-server-group (outside) none
tunnel-group ezWireless type ipsec-ra
tunnel-group ezWireless general-attributes
 address-pool Clientpool
 authentication-server-group (outside) none
 default-group-policy ezWireless
tunnel-group ezWireless ipsec-attributes
 pre-shared-key *
tunnel-group xx.xx.xx.38 type ipsec-l2l
tunnel-group xx.xx.xx.38 ipsec-attributes
 pre-shared-key *
tunnel-group xx.xx.xx.51 type ipsec-l2l
tunnel-group xx.xx.xx.51 ipsec-attributes
 pre-shared-key *
tunnel-group xx.xx.xx.121 type ipsec-l2l
tunnel-group xx.xx.xx.121 ipsec-attributes
 pre-shared-key *
telnet timeout 5
ssh xx.xx.xx.0 255.255.255.0 outside
ssh xx.xx.xx.0 255.255.255.0 outside
ssh xx.xx.xx.120 255.255.255.248 outside
ssh xx.xx.xx.120 255.255.255.252 outside
ssh xx.xx.xx.0 255.255.255.0 outside
ssh 172.16.0.0 255.255.0.0 inside
ssh 172.16.200.0 255.255.255.128 inside
ssh 172.16.200.128 255.255.255.128 inside
ssh timeout 30
console timeout 0
management-access inside
dhcpd lease 3600
dhcpd ping_timeout 50
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect pptp
  inspect icmp error
!
service-policy global_policy global
ntp server 216.110.214.9 source outside prefer
Cryptochecksum:0ea1879c0c8b4557cfb4325353bf738b
office-fw#
0
Comment
Question by:DMTechGrooup
2 Comments
 
LVL 28

Accepted Solution

by:
batry_boy earned 500 total points
Comment Utility
To PIX config, delete:

access-list Hermiston permit ip 192.168.250.0 255.255.255.0 172.16.0.0 255.255.0.0

and add these:

access-list No-Nat-Inside permit ip 172.16.200.128 255.255.255.128 192.168.250.0 255.255.255.0
access-list Hermiston permit ip 172.16.200.128 255.255.255.128 192.168.250.0 255.255.255.0

To ASA config, delete:

access-list PDX extended permit ip 192.168.250.0 255.255.255.0 any

and add these:

same-security-traffic permit intra-interface
access-list PDX extended permit ip 192.168.250.0 255.255.255.0 172.16.200.128 255.255.255.128

You can probably delete the following statements from the ASA as well:

access-list No-Nat extended permit ip 192.168.250.0 255.255.255.0 192.168.250.192 255.255.255.192
access-list No-Nat extended permit ip 192.168.250.0 255.255.255.0 172.16.200.0 255.255.255.0
access-list No-Nat extended permit ip 192.168.250.0 255.255.255.0 any

Overall, it looks like someone has been adding a lot of stuff just troubleshooting the issue and a fair bit of it should be removed.  However, in such a situation, I would do this one statement at a time, test to make sure everything still works, and try the next one.
0
 
LVL 24

Author Comment

by:DMTechGrooup
Comment Utility
Worked great, thanks!
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Join & Write a Comment

Overview The Cisco PIX 501, PIX 506e, ASA 5505 and ASA 5510 (most if not all of this information will be relevant to the PIX 515e but I do not have a working configuration handy to verify the validity) are primarily used within small to medium busi…
I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP). Here is the basic setup of DMVPN Pha…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now