Solved

cisco pix vpn route issue - multiple subnets

Posted on 2010-08-21
6
598 Views
Last Modified: 2012-05-10
Hi Experts,

I've got a problem that I'm trying to work out and I'm stuck.

I have a working VPN tunnel between Office A and Office B.

Office A-net is x.x.30.0/24 and Office B-net is x.x.31.0/24

At both offices, there is an out-of-band set of addresses for remote access to the hardware that I'd like to have transit over the VPN tunnel as well.  These are on the same physical devices and there is no vlan in operation.

These are A-net-oob = x.x.32.0/24 and B-net-oob = x.x.33.0/24.

Currently I'm trying to get A-net to speak to B-net-oob over the VPN tunnel (remember A-net speaks to B-net just fine).  I can ping the out-of-band addresses inside the same segment so I know that it will respond if it gets a request.

Office PIX-A:
! Don't NAT these
access-list inside_outbound_nat0_acl permit ip A-net 255.255.255.0 B-net 255.255.255.0
access-list inside_outbound_nat0_acl permit ip A-net 255.255.255.0 B-net-oob 255.255.255.0
! These are going from here to Office B
access-list outside_cryptomap_20 permit ip A-net 255.255.255.0 B-net 255.255.255.0
access-list outside_cryptomap_20 permit ip A-net 255.255.255.0 B-net-oob 255.255.255.0
! Showing I'm using the "outside_cryptomap_20" ACL for selection
crypto map outside_map 20 match address outside_cryptomap_20

Office PIX-B:
! Don't NAT these
access-list inside_outbound_nat0_acl permit ip B-net 255.255.255.0 A-net 255.255.255.0
access-list inside_outbound_nat0_acl permit ip B-net 255.255.255.0 A-net-oob 255.255.255.0
! These are going from here to Office A
access-list outside_cryptomap_20 permit ip B-net 255.255.255.0 A-net 255.255.255.0
access-list outside_cryptomap_20 permit ip B-net 255.255.255.0 A-net-oob 255.255.255.0
! Showing I'm using the "outside_cryptomap_20" ACL for selection
crypto map outside_map 20 match address outside_cryptomap_20

I can turn on debug icmp trace on both PIXes and when I ping an address from A-net to B-net I can see the trace on both PIXes.  However, when I ping from A-net to B-net-oob I only see the Ping-request on PIX-A and not on PIX-B.  No responses at all.  Traffic for B-net-oob does not appear to be going over to PIX-B.

Of Note:  If the Crypto map statement for B-net-oob is removed from PIX-A, then I get a traceroute that goes off into the internet someplace and gets lost (appropriately, it's not supposed to be routeable).  When I put the statement back in, I get solid timeouts.  This means to me that the Crypto map is capturing the traffic to send over the VPN, but it's failing or not going or some-such-thing.  I can't see anything beyond what the icmp trace showed even if I turn on the most liberal packet tracing.  The debug crypto statements don't show much at all (other traffic makes it tough to determine that it's nothing, but I don't see anything that I can identify).

I'm hoping you experts can help me through this thing.  I need to be able to access the Office B out-of-band addresses from Office A (and vice-versa).

-greg
0
Comment
Question by:OuttaCyTE
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
6 Comments
 
LVL 18

Accepted Solution

by:
jmeggers earned 500 total points
ID: 33495414
I think you need to include A-net-oob and B-net-oob to the other destinations as do not NAT.  So:

Office PIX-A:
! Don't NAT these
access-list inside_outbound_nat0_acl permit ip A-net 255.255.255.0 B-net 255.255.255.0
access-list inside_outbound_nat0_acl permit ip A-net 255.255.255.0 B-net-oob 255.255.255.0

Add:
access-list inside_outbound_nat0_acl permit ip A-net-oob 255.255.255.0 B-net 255.255.255.0
access-list inside_outbound_nat0_acl permit ip A-net-oob 255.255.255.0 B-net-oob 255.255.255.0


! These are going from here to Office B
access-list outside_cryptomap_20 permit ip A-net 255.255.255.0 B-net 255.255.255.0
access-list outside_cryptomap_20 permit ip A-net 255.255.255.0 B-net-oob 255.255.255.0

Add:
access-list outside_cryptomap_20 permit ip A-net-oob 255.255.255.0 B-net 255.255.255.0
access-list outside_cryptomap_20 permit ip A-net-oob 255.255.255.0 B-net-oob 255.255.255.0


Office PIX-B:
! Don't NAT these
access-list inside_outbound_nat0_acl permit ip B-net 255.255.255.0 A-net 255.255.255.0
access-list inside_outbound_nat0_acl permit ip B-net 255.255.255.0 A-net-oob 255.255.255.0

Add:
access-list inside_outbound_nat0_acl permit ip B-net-oob 255.255.255.0 A-net 255.255.255.0
access-list inside_outbound_nat0_acl permit ip B-net-oob 255.255.255.0 A-net-oob 255.255.255.0


! These are going from here to Office A
access-list outside_cryptomap_20 permit ip B-net 255.255.255.0 A-net 255.255.255.0
access-list outside_cryptomap_20 permit ip B-net 255.255.255.0 A-net-oob 255.255.255.0

Add:
access-list outside_cryptomap_20 permit ip B-net-oob 255.255.255.0 A-net 255.255.255.0
access-list outside_cryptomap_20 permit ip B-net-oob 255.255.255.0 A-net-oob 255.255.255.0

Let me know if this helps.





0
 

Author Comment

by:OuttaCyTE
ID: 33524381
@jmeggers,

Thank you for your reply and my apologies for taking so long to get back.  Been snowed under since I posted.

I'll give this a try but first a couple of questions

1) Since Office A-net to Office B-net tunnel works and does not have the "reverse" entries you are suggesting, why should adding these reverse entries help for Office A-net to Office B-net-oob ?

2) I was holding off expanding any other direction (such as B-net-oob to A-net) until I got the first working to minimize the number of changes to be made.  Is there some specific reason that I should put in all of them at once?

I really only get to play on this on the weekend.

-greg
0
 

Author Comment

by:OuttaCyTE
ID: 33524762
Hi again,

I looked at this again and think I spotted the mistake that jmeggers was trying to get at.

In the Office B setup:

! Don't NAT these
access-list inside_outbound_nat0_acl permit ip B-net 255.255.255.0 A-net 255.255.255.0
access-list inside_outbound_nat0_acl permit ip B-net 255.255.255.0 A-net-oob 255.255.255.0


I don't have B-net-oob to A-net for NoNat, and in:

! These are going from here to Office A
access-list outside_cryptomap_20 permit ip B-net 255.255.255.0 A-net 255.255.255.0
access-list outside_cryptomap_20 permit ip B-net 255.255.255.0 A-net-oob 255.255.255.0


I don't have the B-net-oob to A-net for routing.

jmegger's updates include these (and more)

I will give these a try when I get a chance either late at night or the weekend (as I can't afford to kill the client during the day with a typo...).


Thanks,
-greg
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:OuttaCyTE
ID: 33527338
I can report improvement.  I now see the ping request on Office PIX-B.

I suspect the rest of the problem is the lack of a secondary address on the inside of the pix.  I seem to remember some cheats for that so I'm going to look into them.  I can't believe the PIX doesn't support a secondary IP address.

-g
0
 

Author Comment

by:OuttaCyTE
ID: 33527442
Frump...

Vlan not supported at all in Pix 501, even at version 6.3.  Can't use the vlan trick to convince the pix to take a secondary address.

I'm open to suggestions not involving new/replacement equipment.

Otherwise I'll close this with points to jmegger

-g
0
 

Author Closing Comment

by:OuttaCyTE
ID: 33572613
Thank you for responding.  The main answer is that the PIX/ASA firewalls don't have a secondary IP address, and the 501's in particular don't even have VLAN so you can 'Fake' a secondary IP.

I'm going to look at other vendors as I'm tired of Cisco almost-but-not-quite implementations and nickle-dime thinking when it comes to the very smallest of shops.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
GBIC "Gi0/25 notconnect 1auto auto unknown" 3 77
Cisco tacacs question 6 53
Clientless VPN Access 23 58
Cisco ASA 5505 firewall open port 4 56
If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
OpenVPN is a great open source VPN server that is capable of providing quick and easy VPN access to your network on the cheap.  By default the software is configured to allow open access to your network.  But what if you want to restrict users to on…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question