Solved

Issue with Cisco VPN Client and Point to Point T1

Posted on 2009-07-09
4
375 Views
Last Modified: 2012-05-07
Basically we have 2 offices, each connected by a Point-to-Point T1. There are no problems pinging form one office to another.  At each office we have a PIX to VPN into.  However, when someone VPNs into one office, they cannot go across the Point-to-point link to get to the other office.  Is there anyway I can get this function to work? Thanks in advance, I have posted configs for one site and a little network diagram.

         |                                                         |
Site A PIX 515                                Site B PIX 506e
          |                                                         |
          |                   P2P T1                           |
Site A Cisco Router---------------------------Site B Cisco Router
          |                                                         |
          |                                                         |
Site A LAN (10.0.1.0/24)                         Site B LAN (10.5.1.0/24)
               (10.0.100.0/24)
**************ROUTER_CONFIG*****************************
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname 2611ROUTER
!
boot-start-marker
boot-end-marker
!
enable secret 5 xxx
enable password xxx
!
no aaa new-model
ip subnet-zero
ip cef
!
ip domain name .com
ip dhcp excluded-address 10.5.1.44
ip dhcp excluded-address 10.5.1.1 10.5.1.100
ip dhcp excluded-address 10.5.1.196 10.5.1.199
!
ip dhcp pool clients
   network 10.5.1.0 255.255.255.0
   default-router 10.5.1.1 
   domain-name .com
   dns-server 10.5.1.55 10.0.1.89 
   netbios-name-server 10.5.1.55 10.0.1.89 
   netbios-node-type h-node
   option 42 ip 192.5.41.209 
   option 150 ip 10.0.100.1 
!
ip audit po max-events 100
!
username xxx privilege 15 secret 5 xxx
!
!
controller T1 0/0
 framing esf
 linecode b8zs
 channel-group 0 timeslots 1-24 speed 64
 description SBC 86HCGS667489
!
controller T1 0/1
 framing esf
 linecode b8zs
 channel-group 0 timeslots 1-24 speed 64
!
ip ssh time-out 60
ip ssh authentication-retries 5
! 
!
interface Ethernet0/0
 description Internal Network
 ip address 10.5.1.1 255.255.255.0
 half-duplex
!
interface Serial0/0:0
 ip address 10.99.99.2 255.255.255.252
 encapsulation ppp
!
interface Ethernet0/1
 no ip address
 shutdown
 half-duplex
!
interface Serial0/1:0
 no ip address
 encapsulation ppp
 shutdown
!
interface Serial0/2
 no ip address
 encapsulation ppp
 shutdown
!
ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 10.5.1.2
ip route 10.0.0.0 255.255.0.0 10.99.99.1
ip route 10.100.0.0 255.255.0.0 10.99.99.1
ip route 192.168.70.0 255.255.255.0 10.99.99.1
!
line con 0
 exec-timeout 0 0
line aux 0
line vty 0 4
 password xxx
 login local
 transport input ssh
line vty 5 15
 password xxx
 login
 transport input ssh
!
ntp clock-period 17180144
ntp server 192.5.41.209
!
end
****************************************
**********************PIX CONFIG******************
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxx encrypted
passwd xxx encrypted
hostname PIX506e
domain-name .com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name x.x.x.16 PIX_Outside
name x.x.x.1 Sonic_Gateway
name 10.5.1.1 PIX_Inside
name y.y.y.17 SWMS_Outside
name y.y.y.18 CPSUPPORT_Outside
name 10.5.1.56 CPSUPPORT_Inside
name 10.5.1.55 SWMS_Inside
name 10.5.1.69 SWMS2
name y.y.y.19 CLserver
name 10.5.1.44 CLinside
object-group network og_ip_nat_clients 
  network-object 10.5.1.0 255.255.255.0 
access-list outside_access_in permit icmp any any echo-reply 
access-list outside_access_in permit icmp any any 
access-list outside_access_in remark Allow HTTP traffic to SWMS
access-list outside_access_in permit tcp any host SWMS_Outside eq www 
access-list outside_access_in permit tcp any host CPSUPPORT_Outside eq www 
access-list outside_access_in permit tcp host .... interface outside eq ftp 
access-list outside_access_in permit tcp host .... interface outside eq 1433 
access-list outside_access_in permit tcp any host CLserver eq ssh 
access-list nonat permit ip 10.5.1.0 255.255.255.0 10.0.100.0 255.255.255.0 
access-list nonat permit ip 10.5.1.0 255.255.255.0 10.0.1.0 255.255.255.0 
access-list splittunnel permit ip 10.5.1.0 255.255.255.0 10.11.1.0 255.255.255.0 
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside PIXOutside 255.255.255.0
ip address inside 10.5.1.2 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool ipsec-pool 10.11.1.100-10.11.1.200 mask 255.255.255.0
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 10.5.1.0 255.255.255.0 0 0
static (inside,outside) SWMS_Outside SWMS_Inside netmask 255.255.255.255 0 0 
static (inside,outside) CPSUPPORT_Outside CPSUPPORT_Inside netmask 255.255.255.255 0 0 
static (inside,outside) CLserver CLinside netmask 255.255.255.255 0 0 
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 Sonic_Gateway 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+ 
aaa-server TACACS+ max-failed-attempts 3 
aaa-server TACACS+ deadtime 10 
aaa-server RADIUS protocol radius 
aaa-server RADIUS max-failed-attempts 3 
aaa-server RADIUS deadtime 10 
aaa-server LOCAL protocol local 
http server enable
http 10.5.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set vpnclient esp-des esp-md5-hmac 
crypto dynamic-map dynamicmap 11 set transform-set vpnclient
crypto map warehousemap 99 ipsec-isakmp dynamic dynamicmap
crypto map warehousemap interface outside
isakmp enable outside
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup warehouse address-pool ipsec-pool
vpngroup warehouse dns-server SWMS_Inside
vpngroup warehouse default-domain .com
vpngroup warehouse split-tunnel splittunnel
vpngroup warehouse idle-time 1800
vpngroup warehouse password ***
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.9.0.9 255.255.255.255 inside
ssh 10.5.1.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd address 10.5.1.100-10.5.1.200 inside
dhcpd dns SWMS_Inside 10.0.1.89
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain .com
dhcpd auto_config outside
dhcpd option 150 ip 10.0.100.1
dhcpd option 3 ip PIX_Inside
username xxx password xxx encrypted privilege 15
terminal width 80
banner exec Enter your password carefully
banner login Enter your password to login
banner motd Think on These Things
********************************************

Open in new window

0
Comment
Question by:sycomp
4 Comments
 
LVL 5

Expert Comment

by:oalva
ID: 24818273
Ok from what is see your VPN clients get 10.11.1.x but on your router there is no route back to that network, over the point to point
0
 
LVL 8

Expert Comment

by:pgolding00
ID: 24821005
along the same lines, are no both pix's missing routes for the opposite site?
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 24823520
You only posted the configs on one side, but generally, here's what you need.

Site A
On the PIX 515, add a static route to 10.11.1.0 to the local router
route inside 10.11.1.0 255.255.255.0 <router address>

Also, include 10.5.1.0 /24 in the Split-tunnel acl
On the router, make sure you have a route to the vpn client subnet pointing across the T1
 ip route 10.11.1.0 255.255.255.0 10.99.99.2

Make sure you reverse the process on Site B:
PIX
 route inside 10.0.1.0 255.255.255.0 10.5.1.x
 route inside 10.0.100.0 255.255.255.0 10.5.1.x
 route inside 10.x.x.x 255.255.255.0 10.5.1.x  <== 515 side VPN tunnel pool
access-list nonat permit ip 10.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0
access-list splittunnel permit ip 10.0.0.0 255.255.0.0 10.0.0.0 255.0.0.0

On the router, make sure you have a route to the VPN pool of the PIX 515
ip route 10.x.x.0 255.255.255.0 10.99.99.1
0
 

Author Closing Comment

by:sycomp
ID: 31604444
Thank you! I overlooked the fact that the VPN clients are on a different subnet.
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question