?
Solved

Can a remote client (Network C) VPN intothrough router a Pix (Network A) and access Network B

Posted on 2010-01-04
2
Medium Priority
?
400 Views
Last Modified: 2012-05-08
Can a remote client (Network C) VPN into a Pix (Network A) and access network b

Network A = Local LAN 10.100.100.0
Network B  Remote LAN 10.200.200.0
Networks A and B connected by 1700 routers
Have a PIX 501 on network A for internet


I can ping network B from the Pix inside interface (network A)
I can NOT access anything from network B when connected to the VPN (Network C)
Internet and Network A access works with the default gateway being the router through the VPN

Heres the configs

1700 Router


interface FastEthernet0
 description XXXXXXX - XXXXXX
 ip address 10.100.100.254 255.255.255.0
 ip broadcast-address 10.100.100.255
 ip helper-address 10.200.200.1
 no ip mroute-cache
 speed 100
 full-duplex
!
interface Serial0
 description To XXXXXXXXX
 bandwidth 56
 ip address 10.250.250.38 255.255.255.252
 no ip mroute-cache
 fair-queue
!
router eigrp 100
 network 10.0.0.0
 auto-summary
 no eigrp log-neighbor-changes
!
no ip classless
no ip forward-protocol udp nameserver
no ip forward-protocol udp domain
no ip forward-protocol udp time
no ip forward-protocol udp netbios-ns
no ip forward-protocol udp netbios-dgm
no ip forward-protocol udp tacacs
ip route 0.0.0.0 0.0.0.0 10.100.100.252
no ip http server
!
logging 10.200.200.1
access-list 1 permit 10.0.0.0 0.255.255.255
access-list 1 deny   any
snmp-server community reymon RO


PIX




fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list inside_outbound_nat0_acl permit ip 10.100.100.0 255.255.255.0 10.0.0.0 255.255.255.224
access-list outside_cryptomap_dyn_20 permit ip any 10.0.0.0 255.255.255.224
access-list outside_cryptomap_dyn_40 permit ip any 10.0.0.0 255.255.255.224
access-list 101 permit ip 10.100.100.0 255.255.255.0 10.0.0.0 255.255.255.224
ip local pool RemoteVPN 10.0.0.10-10.0.0.20
pdm location 0.0.0.0 0.0.0.0 inside
pdm location 10.100.100.0 255.255.255.0 inside
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 XX.XX.XX.XX 1
route inside 10.200.200.0 255.255.255.0 10.100.100.254 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication LOCAL
crypto map outside_map interface outside
isakmp enable outside
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup VPNClient address-pool RemoteVPN
vpngroup VPNClient dns-server 4.2.2.1 4.2.2.2
vpngroup VPNClient split-tunnel 101
vpngroup VPNClient idle-time 1800
0
Comment
Question by:williaj2
2 Comments
 
LVL 22

Accepted Solution

by:
Jody Lemoine earned 2000 total points
ID: 26170241
Unfortunately, this isn't going to work on the PIX.  What you're trying to do is have the device route traffic from a VPN tunnel out across another VPN tunnel on the same interface.  The PIX 501 just doesn't have this capability.  If you reversed the roles and had the 1700 as your hub, this wouldn't be a problem though.  The 1700 is a router and can handle this sort of thing where the PIX can't.
0
 
LVL 13

Expert Comment

by:3nerds
ID: 26172803
Just a quick question here as i am coming to the same conclusion as Jody but I figured it would be easier to ask a couple of questions.

Network setup:

Network B (1700) ----> Network A (1700)--->(ASA)---> Internet (VPN) ---> Network C (1700)

What type of connection is between the 1700 at network connection A and the 1700 at Network B? Alos if this drawing is inaccurate please update it.

Regards,

3nerds
0

Featured Post

How to change the world, one degree at a time.

By embracing technology, we can solve even the biggest problems—including the gender gap.  By earning a degree from WGU, you have an opportunity to gain the knowledge, credentials, and experience it takes to thrive in today’s high-growth IT industry.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many of the companies I’ve worked with have embraced cloud solutions due to their desire to “get out of the datacenter business.” The ability to achieve better security and availability, and the speed with which they are able to deploy, is far grea…
When speed and performance are vital to revenue, companies must have complete confidence in their cloud environment.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Suggested Courses

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question