Solved

Issue with Cisco VPN Client and Point to Point T1

Posted on 2009-07-09
4
374 Views
Last Modified: 2012-05-07
Basically we have 2 offices, each connected by a Point-to-Point T1. There are no problems pinging form one office to another.  At each office we have a PIX to VPN into.  However, when someone VPNs into one office, they cannot go across the Point-to-point link to get to the other office.  Is there anyway I can get this function to work? Thanks in advance, I have posted configs for one site and a little network diagram.

         |                                                         |
Site A PIX 515                                Site B PIX 506e
          |                                                         |
          |                   P2P T1                           |
Site A Cisco Router---------------------------Site B Cisco Router
          |                                                         |
          |                                                         |
Site A LAN (10.0.1.0/24)                         Site B LAN (10.5.1.0/24)
               (10.0.100.0/24)
**************ROUTER_CONFIG*****************************

version 12.3

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname 2611ROUTER

!

boot-start-marker

boot-end-marker

!

enable secret 5 xxx

enable password xxx

!

no aaa new-model

ip subnet-zero

ip cef

!

ip domain name .com

ip dhcp excluded-address 10.5.1.44

ip dhcp excluded-address 10.5.1.1 10.5.1.100

ip dhcp excluded-address 10.5.1.196 10.5.1.199

!

ip dhcp pool clients

   network 10.5.1.0 255.255.255.0

   default-router 10.5.1.1 

   domain-name .com

   dns-server 10.5.1.55 10.0.1.89 

   netbios-name-server 10.5.1.55 10.0.1.89 

   netbios-node-type h-node

   option 42 ip 192.5.41.209 

   option 150 ip 10.0.100.1 

!

ip audit po max-events 100

!

username xxx privilege 15 secret 5 xxx

!

!

controller T1 0/0

 framing esf

 linecode b8zs

 channel-group 0 timeslots 1-24 speed 64

 description SBC 86HCGS667489

!

controller T1 0/1

 framing esf

 linecode b8zs

 channel-group 0 timeslots 1-24 speed 64

!

ip ssh time-out 60

ip ssh authentication-retries 5

! 

!

interface Ethernet0/0

 description Internal Network

 ip address 10.5.1.1 255.255.255.0

 half-duplex

!

interface Serial0/0:0

 ip address 10.99.99.2 255.255.255.252

 encapsulation ppp

!

interface Ethernet0/1

 no ip address

 shutdown

 half-duplex

!

interface Serial0/1:0

 no ip address

 encapsulation ppp

 shutdown

!

interface Serial0/2

 no ip address

 encapsulation ppp

 shutdown

!

ip http server

no ip http secure-server

ip classless

ip route 0.0.0.0 0.0.0.0 10.5.1.2

ip route 10.0.0.0 255.255.0.0 10.99.99.1

ip route 10.100.0.0 255.255.0.0 10.99.99.1

ip route 192.168.70.0 255.255.255.0 10.99.99.1

!

line con 0

 exec-timeout 0 0

line aux 0

line vty 0 4

 password xxx

 login local

 transport input ssh

line vty 5 15

 password xxx

 login

 transport input ssh

!

ntp clock-period 17180144

ntp server 192.5.41.209

!

end

****************************************

**********************PIX CONFIG******************

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxx encrypted

passwd xxx encrypted

hostname PIX506e

domain-name .com

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol pptp 1723

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

name x.x.x.16 PIX_Outside

name x.x.x.1 Sonic_Gateway

name 10.5.1.1 PIX_Inside

name y.y.y.17 SWMS_Outside

name y.y.y.18 CPSUPPORT_Outside

name 10.5.1.56 CPSUPPORT_Inside

name 10.5.1.55 SWMS_Inside

name 10.5.1.69 SWMS2

name y.y.y.19 CLserver

name 10.5.1.44 CLinside

object-group network og_ip_nat_clients 

  network-object 10.5.1.0 255.255.255.0 

access-list outside_access_in permit icmp any any echo-reply 

access-list outside_access_in permit icmp any any 

access-list outside_access_in remark Allow HTTP traffic to SWMS

access-list outside_access_in permit tcp any host SWMS_Outside eq www 

access-list outside_access_in permit tcp any host CPSUPPORT_Outside eq www 

access-list outside_access_in permit tcp host .... interface outside eq ftp 

access-list outside_access_in permit tcp host .... interface outside eq 1433 

access-list outside_access_in permit tcp any host CLserver eq ssh 

access-list nonat permit ip 10.5.1.0 255.255.255.0 10.0.100.0 255.255.255.0 

access-list nonat permit ip 10.5.1.0 255.255.255.0 10.0.1.0 255.255.255.0 

access-list splittunnel permit ip 10.5.1.0 255.255.255.0 10.11.1.0 255.255.255.0 

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside PIXOutside 255.255.255.0

ip address inside 10.5.1.2 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool ipsec-pool 10.11.1.100-10.11.1.200 mask 255.255.255.0

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 10.5.1.0 255.255.255.0 0 0

static (inside,outside) SWMS_Outside SWMS_Inside netmask 255.255.255.255 0 0 

static (inside,outside) CPSUPPORT_Outside CPSUPPORT_Inside netmask 255.255.255.255 0 0 

static (inside,outside) CLserver CLinside netmask 255.255.255.255 0 0 

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 Sonic_Gateway 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+ 

aaa-server TACACS+ max-failed-attempts 3 

aaa-server TACACS+ deadtime 10 

aaa-server RADIUS protocol radius 

aaa-server RADIUS max-failed-attempts 3 

aaa-server RADIUS deadtime 10 

aaa-server LOCAL protocol local 

http server enable

http 10.5.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set vpnclient esp-des esp-md5-hmac 

crypto dynamic-map dynamicmap 11 set transform-set vpnclient

crypto map warehousemap 99 ipsec-isakmp dynamic dynamicmap

crypto map warehousemap interface outside

isakmp enable outside

isakmp identity address

isakmp nat-traversal 20

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup warehouse address-pool ipsec-pool

vpngroup warehouse dns-server SWMS_Inside

vpngroup warehouse default-domain .com

vpngroup warehouse split-tunnel splittunnel

vpngroup warehouse idle-time 1800

vpngroup warehouse password ***

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 outside

ssh 0.9.0.9 255.255.255.255 inside

ssh 10.5.1.0 255.255.255.0 inside

ssh timeout 5

console timeout 0

dhcpd address 10.5.1.100-10.5.1.200 inside

dhcpd dns SWMS_Inside 10.0.1.89

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd domain .com

dhcpd auto_config outside

dhcpd option 150 ip 10.0.100.1

dhcpd option 3 ip PIX_Inside

username xxx password xxx encrypted privilege 15

terminal width 80

banner exec Enter your password carefully

banner login Enter your password to login

banner motd Think on These Things

********************************************

Open in new window

0
Comment
Question by:sycomp
4 Comments
 
LVL 5

Expert Comment

by:oalva
Comment Utility
Ok from what is see your VPN clients get 10.11.1.x but on your router there is no route back to that network, over the point to point
0
 
LVL 8

Expert Comment

by:pgolding00
Comment Utility
along the same lines, are no both pix's missing routes for the opposite site?
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
Comment Utility
You only posted the configs on one side, but generally, here's what you need.

Site A
On the PIX 515, add a static route to 10.11.1.0 to the local router
route inside 10.11.1.0 255.255.255.0 <router address>

Also, include 10.5.1.0 /24 in the Split-tunnel acl
On the router, make sure you have a route to the vpn client subnet pointing across the T1
 ip route 10.11.1.0 255.255.255.0 10.99.99.2

Make sure you reverse the process on Site B:
PIX
 route inside 10.0.1.0 255.255.255.0 10.5.1.x
 route inside 10.0.100.0 255.255.255.0 10.5.1.x
 route inside 10.x.x.x 255.255.255.0 10.5.1.x  <== 515 side VPN tunnel pool
access-list nonat permit ip 10.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0
access-list splittunnel permit ip 10.0.0.0 255.255.0.0 10.0.0.0 255.0.0.0

On the router, make sure you have a route to the VPN pool of the PIX 515
ip route 10.x.x.0 255.255.255.0 10.99.99.1
0
 

Author Closing Comment

by:sycomp
Comment Utility
Thank you! I overlooked the fact that the VPN clients are on a different subnet.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

Secure VPN Connection terminated locally by the Client.  Reason 442: Failed to enable Virtual Adapter. If you receive this error on Windows 8 or Windows 8.1 while trying to connect with the Cisco VPN Client then the solution is a simple registry f…
Let’s list some of the technologies that enable smooth teleworking. 
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now