Solved

Need assistance with VPN between Cisco 1841 and Pix - Remote location cannot access 2 internal subnets

Posted on 2008-10-08
2
661 Views
Last Modified: 2010-04-21
I have a remote location that has a Cisco 1841 which has a VPN back to corporate where we have a Pix 515e.  We have two internal subnets (192.168.0.* and 192.168.2.*) I need the Remote location to be able to access both subnets.  Currently, remote location can see all 192.168.0.*  I am extremely new at all of this!!

Here is a partial pix config:
: Written by enable_15 at 09:29:41.091 CDT Wed Oct 8 2008
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto

...

fixup protocol dns maximum-length 4096
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol http 4112
fixup protocol http 8080
fixup protocol http 8089
fixup protocol http 8443
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
...

name 192.168.77.0 Oesa_Kmit
object-group service Base_Inet_dns tcp
  port-object eq whois
  port-object eq www
  port-object eq domain
  port-object eq smtp
  port-object eq ldaps
  port-object eq ftp
  port-object eq https
  port-object eq ldap
  port-object eq 402
  port-object eq 1935
  port-object eq 401
  port-object eq 43190
  port-object eq 1680
  port-object eq 4952
  port-object eq 4951
  port-object eq 4950
  port-object eq 3829
  port-object eq 1010
  port-object eq 1759
  port-object eq 1758
  port-object eq 43189
  port-object eq 4949
  port-object range 10113 10115
  port-object eq 8506
  port-object eq 8510
object-group service NetBios_ports udp
  port-object eq netbios-ns
  port-object eq netbios-dgm
access-list inbound permit icmp any any
access-list inbound permit tcp any host 38.158.46.122 eq www
access-list inbound permit tcp any host 38.158.46.122 eq 3389
access-list inbound permit tcp any host 38.158.46.123 eq www
access-list inbound permit tcp any host 38.158.46.118 eq www
access-list inbound permit tcp any host 38.158.46.118 eq domain
access-list inbound permit udp any host 38.158.46.118 eq domain
access-list inbound permit tcp any host 38.158.46.121 eq domain
access-list inbound permit udp any host 38.158.46.121 eq domain
access-list inbound permit tcp any host 38.158.46.120 eq 9413
access-list inbound permit udp any host 38.158.46.120 eq 9413
access-list inbound permit tcp any host 38.158.46.119 eq smtp
access-list inbound permit tcp any host 38.158.46.119 eq pop3
access-list inbound permit tcp any host 38.158.46.119 eq www
access-list inbound permit tcp any host 38.158.46.119 eq https
access-list inbound remark IIS Server
access-list inbound permit tcp any host 38.158.46.117 eq www
access-list inbound permit esp any any
access-list inbound permit ah any any
access-list inbound permit udp any any eq isakmp
access-list inbound permit tcp any eq smtp any eq smtp
access-list inbound permit tcp any host 38.158.46.114 eq 6881
access-list inbound permit tcp any host 38.158.46.117 eq 8080
access-list inbound permit tcp any host 38.158.46.117 eq ftp
access-list inbound permit tcp any host 38.158.46.117 eq 402
access-list inbound permit udp host 38.158.46.113 host 38.158.46.118 eq syslog
access-list inbound permit udp any any eq syslog
access-list inbound permit udp host 38.158.46.113 host 192.168.0.5 eq syslog
access-list inbound permit tcp any host 38.158.46.125 object-group Base_Inet_dns
access-list inbound permit tcp any host 38.158.46.117 eq 16386
access-list inbound permit tcp any host 38.158.46.124 object-group Base_Inet_dns
access-list inbound permit tcp any host 38.158.46.126 object-group Base_Inet_dns
access-list inbound remark HMS_MPDQ_SERVER
access-list inbound permit tcp any host 38.158.46.116 object-group Base_Inet_dns
access-list inbound permit tcp any host 38.158.46.116 eq 3389
access-list inbound permit udp any host 38.158.46.116 eq www
access-list inbound permit tcp any host 38.158.46.117 eq 8530
access-list inbound permit tcp any host 38.158.46.115 object-group Base_Inet_dns
access-list inbound permit tcp any host 38.158.46.119 eq imap4
access-list inbound permit tcp any host 38.158.46.119 eq 993
access-list inbound permit udp any host 38.158.46.121 eq snmp
access-list inbound permit udp any host 38.158.46.121 eq snmptrap
access-list inbound permit tcp any host 38.158.46.124 eq 3389

access-list inbound permit udp host 26.17.14.206 host 38.158.46.121 eq tftp
access-list NONAT permit ip 192.168.0.0 255.255.255.0 10.100.100.0 255.255.255.0
access-list NONAT permit ip any 10.100.100.0 255.255.255.192

access-list NONAT permit ip 192.168.0.0 255.255.255.0 Oesa_Kmit 255.255.255.0
access-list NONAT permit ip 192.168.2.0 255.255.255.0 Oesa_Kmit 255.255.255.0
access-list NONAT permit ip 192.168.2.0 255.255.255.0 10.100.100.0 255.255.255.0
access-list outside_cryptomap_dyn_20 permit ip any 10.100.100.0 255.255.255.192
access-list P2P deny tcp any 128.121.20.0 255.255.255.240 eq www
access-list P2P deny tcp any 128.121.4.0 255.255.255.0 eq www
access-list P2P deny tcp any any eq 4662
access-list P2P permit ip any any
access-list outbound permit udp any any log

access-list outside_cryptomap_250 permit ip 192.168.0.0 255.255.255.0 Oesa_Kmit 255.255.255.0
access-list outside_cryptomap_250 remark Oesa_Kmit
access-list outside_cryptomap_250 permit ip 192.168.2.0 255.255.255.0 Oesa_Kmit 255.255.255.0
pager lines 24
logging on
logging timestamp
logging monitor errors
logging buffered informational
logging trap informational
logging history informational
logging facility 22
logging host inside 192.168.0.17
mtu outside 1500
mtu inside 1500
ip address outside 38.158.46.114 255.255.255.240
ip address inside 192.168.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool VPNIPPOOL 10.100.100.1-10.100.100.50
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
pdm location 192.168.0.5 255.255.255.255 inside
pdm location 192.168.0.6 255.255.255.255 inside
pdm location 192.168.0.9 255.255.255.255 inside
pdm location 192.168.0.10 255.255.255.255 inside
pdm location 192.168.0.12 255.255.255.255 inside
pdm location 192.168.0.17 255.255.255.255 inside
pdm location 10.100.100.0 255.255.255.0 outside
pdm location 192.168.0.20 255.255.255.255 inside
pdm location 192.168.0.13 255.255.255.255 inside
pdm location 192.168.0.8 255.255.255.255 inside
pdm location 128.121.4.0 255.255.255.0 outside
pdm location 128.121.20.0 255.255.255.240 outside
pdm location 192.168.0.14 255.255.255.255 inside
pdm location 192.168.0.23 255.255.255.255 inside
pdm location 192.168.0.48 255.255.255.255 inside
pdm location 192.168.0.41 255.255.255.255 inside
pdm location 192.168.35.0 255.255.255.0 inside
pdm location 192.168.35.0 255.255.255.0 outside
pdm location 192.168.0.108 255.255.255.255 inside
pdm location 192.168.0.0 255.255.255.0 inside
pdm location 192.168.0.201 255.255.255.255 inside
pdm location 192.168.26.0 255.255.255.0 inside
pdm location 192.168.26.0 255.255.255.0 outside
pdm location 192.168.0.11 255.255.255.255 inside
pdm location Oesa_Kmit 255.255.255.0 inside
pdm location Oesa_Kmit 255.255.255.0 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NONAT
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 38.158.46.120 192.168.0.9 netmask 255.255.255.255 0 0
static (inside,outside) 38.158.46.121 192.168.0.17 dns netmask 255.255.255.255 0 0
static (inside,outside) 38.158.46.122 192.168.0.12 dns netmask 255.255.255.255 0 0
static (inside,outside) 38.158.46.123 192.168.0.10 netmask 255.255.255.255 0 0
static (inside,outside) 38.158.46.118 192.168.0.5 dns netmask 255.255.255.255 0 0
static (inside,outside) 38.158.46.119 192.168.0.8 dns netmask 255.255.255.255 0 0
static (inside,outside) 38.158.46.117 192.168.0.14 dns netmask 255.255.255.255 0 0
static (inside,outside) 38.158.46.126 192.168.0.215 dns netmask 255.255.255.255 0 0
static (inside,outside) 38.158.46.125 192.168.0.20 dns netmask 255.255.255.255 0 0
static (inside,outside) 38.158.46.116 192.168.0.201 dns netmask 255.255.255.255 0 0
static (inside,outside) 38.158.46.115 192.168.0.11 dns netmask 255.255.255.255 0 0
static (inside,outside) 38.158.46.124 192.168.0.203 dns netmask 255.255.255.255 0 0
access-group inbound in interface outside
access-group P2P in interface inside
conduit permit udp host 192.168.0.22 eq 9996 any
route outside 0.0.0.0 0.0.0.0 38.158.46.113 1
route inside 192.168.2.0 255.255.255.0 192.168.0.101 1
timeout xlate 1:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa-server AuthInbound protocol radius
aaa-server AuthInbound max-failed-attempts 3
aaa-server AuthInbound deadtime 10
aaa-server AuthInbound (inside) host 192.168.0.20 cisco timeout 10
http server enable
http 192.168.0.0 255.255.255.0 inside
snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
service resetinbound
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto map outside_map 250 ipsec-isakmp
crypto map outside_map 250 match address outside_cryptomap_250
crypto map outside_map 250 set peer 26.17.14.206
crypto map outside_map 250 set transform-set ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 26.17.14.206 netmask 255.255.255.255 no-xauth no-config-mode
isakmp peer ip 65.26.45.34 no-xauth no-config-mode
isakmp identity address
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 3600
isakmp policy 40 authentication rsa-sig
isakmp policy 40 encryption des
isakmp policy 40 hash md5
isakmp policy 40 group 2
isakmp policy 40 lifetime 86400
vpngroup ***** address-pool VPNIPPOOL
vpngroup ***** dns-server 192.168.0.20 192.168.0.6
vpngroup ***** default-domain reliantholdingsllc.com
vpngroup ***** split-tunnel CLIENTVPN
vpngroup ***** idle-time 1800
vpngroup ***** password ********
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
management-access inside
console timeout 0
terminal width 80




and here is the remote config
Using 5800 out of 196600 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Oesa_Kmit
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
aaa new-model
!
!
aaa authentication ppp default local
!
aaa session-id common
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
ip cef
!
!
no ip dhcp use vrf connected
!
ip dhcp pool POOL-DHCP
   network 192.168.75.0 255.255.255.0
   default-router 192.168.75.1
   dns-server 192.168.0.6 192.168.0.20 12.127.17.72 12.127.16.68
   domain-name headquarters
!
!
ip domain name ****
ip name-server 12.127.17.72
ip name-server 12.127.16.68
vpdn enable
!
vpdn-group RELIANTOD-VPN
! Default PPTP VPDN group
 accept-dialin
  protocol pptp
  virtual-template 1
!
!
!
!
crypto pki trustpoint TP-self-signed-1082382151
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1082382151
 revocation-check none
 rsakeypair TP-self-signed-1082382151
!
!
crypto pki certificate chain TP-self-signed-1082382151
 certificate self-signed 01 nvram:IOS-Self-Sig#3101.cer
username **** password 0 ***********
!
!
!
crypto isakmp policy 10
 hash md5
 authentication pre-share
 group 2
 lifetime 3600
crypto isakmp key oesa_kmit address 38.158.46.114 no-xauth
!
!
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
!
crypto map Oesa_Kmit 10 ipsec-isakmp
 set peer 38.158.46.114
 set transform-set ESP-DES-MD5
 match address vpn_tunnel
!
!        
!
interface FastEthernet0/0
 description NTS LAN Connection
 no ip address
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface FastEthernet0/1
 description Local Internetwork
 ip address 192.168.75.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface Serial0/0/0
 no ip address
 ip virtual-reassembly
 encapsulation frame-relay IETF
 frame-relay lmi-type ansi
!
interface Serial0/0/0.100 point-to-point
 ip address 26.17.14.206 255.255.255.252
 ip nat outside
 ip virtual-reassembly
 frame-relay interface-dlci 100 IETF  
 crypto map Oesa_Kmit
!
interface Virtual-Template1
 ip unnumbered FastEthernet0/1
 peer default ip address pool defaultpool
 ppp encrypt mppe auto required
 ppp authentication ms-chap ms-chap-v2
!
router rip
 version 2
 passive-interface Serial0/0/0
 network 192.168.75.0
 no auto-summary
!        
ip local pool defaultpool 192.168.75.170 192.168.75.180
ip classless
no ip forward-protocol udp tftp
no ip forward-protocol udp nameserver
no ip forward-protocol udp domain
no ip forward-protocol udp time
no ip forward-protocol udp netbios-ns
no ip forward-protocol udp netbios-dgm
no ip forward-protocol udp tacacs
ip route 0.0.0.0 0.0.0.0 26.17.14.205
!
no ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map nonat interface Serial0/0/0.100 overload
ip nat inside source static tcp 192.168.75.150 3389 26.17.14.206 3389 extendable
!
ip access-list extended NAT
 deny   ip 192.168.75.0 0.0.0.255 192.168.0.0 0.0.0.255
 deny   ip 10.100.100.0 0.0.0.255 192.168.0.0 0.0.0.255
 permit ip 10.100.100.0 0.0.0.255 any
 permit ip 192.168.75.0 0.0.0.255 any
 deny   ip 192.168.75.0 0.0.0.255 192.168.2.0 0.0.0.255
 deny   ip 10.100.100.0 0.0.0.255 192.168.2.0 0.0.0.255
ip access-list extended vpn_tunnel
 permit ip 192.168.75.0 0.0.0.255 192.168.0.0 0.0.0.255
 permit ip 192.168.75.0 0.0.0.255 192.168.2.0 0.0.0.255
!
access-list 60 permit 38.158.46.121
access-list 60 deny   any
snmp-server community public RO
snmp-server community topsecret RW 60
snmp-server location Oesa_Kmit
snmp-server enable traps tty
route-map nonat permit 10
 match ip address NAT
!
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
 privilege level 15
 transport input telnet ssh
line vty 5 15
 access-class 23 in
 privilege level 15
 transport input telnet ssh
!
end
0
Comment
Question by:reliantit
2 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 250 total points
ID: 22674993
Access-list not in proper order on 1841

ip access-list extended NAT
 deny   ip 192.168.75.0 0.0.0.255 192.168.0.0 0.0.0.255
 deny   ip 10.100.100.0 0.0.0.255 192.168.0.0 0.0.0.255
 permit ip 10.100.100.0 0.0.0.255 any
 permit ip 192.168.75.0 0.0.0.255 any <== hit first
 deny   ip 192.168.75.0 0.0.0.255 192.168.2.0 0.0.0.255  <== must be higher
 deny   ip 10.100.100.0 0.0.0.255 192.168.2.0 0.0.0.255


Proper
ip access-list extended NAT
 deny   ip 192.168.75.0 0.0.0.255 192.168.0.0 0.0.0.255
 deny   ip 192.168.75.0 0.0.0.255 192.168.2.0 0.0.0.255
 deny   ip 10.100.100.0 0.0.0.255 192.168.0.0 0.0.0.255
 permit ip 10.100.100.0 0.0.0.255 any
 permit ip 192.168.75.0 0.0.0.255 any
 deny   ip 10.100.100.0 0.0.0.255 192.168.2.0 0.0.0.255

0
 

Author Closing Comment

by:reliantit
ID: 31504471
Exactly what I needed!!!  Thanks so much!
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now