troubleshooting Question

Cisco PIX Remote access client communication over VPN tunnel to remote subnet

Avatar of btray900
btray900Flag for United States of America asked on
VPNInternet Protocol SecurityCisco
3 Comments1 Solution641 ViewsLast Modified:
Hi,

Devices: Cisco PIX 515E
Version: 8.0(4)

I am trying to do something that seems common, there are a ton of examples, each slightly different and none work.

I want remote access users to connect to a PIX in Vegas, access devices in Vegas on one subnet and access devices in VA on another subnet connected via a site-to-site VPN tunnel.

Vegas (West):
RA pool: 10.2.2.0
West local: 192.168.2.0

VA (East):
East remote: 192.168.1.0

What works:
10.2.2.0 (West RA) to 192.168.2.0 (West local)
192.168.2.0 (West local) to 192.168.1.0 (East remote)
192.168.1.0 (East remote) to 192.168.2.0 (West local)

Also from 192.168.1.251 (East local) I can ping my remote access client (10.2.2.10). So:
192.168.1.0 (East remote) to 10.2.2.0 (West RA) also works. The East host needs a static route to the RA network through the East PIX and that clearly works.

What does not work is West RA client access to the East remote network. So:
10.2.2.0 (West RA) can not access 192.168.1.0 (East remote)

The tunnel has been fine for years, East<->West communication is/has been fine for years. This remote access configuration is new and half works.

--------------
East PIX
--------------
access-list HV-VPN extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list HV-VPN extended permit ip 192.168.1.0 255.255.255.0 10.2.2.0 255.255.255.0

access-list CH-VPN extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list CH-VPN extended permit ip 192.168.1.0 255.255.255.0 10.2.2.0 255.255.255.0
 
nat (ch) 0 access-list CH-VPN

crypto map TUNNELS 6 match address HV-VPN

--------------
West PIX
--------------

same-security-traffic permit intra-interface

access-list CH-VPN extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list CH-VPN extended permit ip 192.168.2.0 255.255.255.0 10.2.2.0 255.255.255.0

access-list HV-VPN extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list HV-VPN extended permit ip 10.2.2.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list CH-SPLITUNNEL-ACL standard permit 192.168.2.0 255.255.255.0
access-list CH-SPLITUNNEL-ACL standard permit 192.168.1.0 255.255.255.0

ip local pool CH-POOL 10.2.2.10-10.2.2.250 mask 255.255.255.0

nat (ch) 0 access-list CH-VPN

crypto map TUNNELS 6 match address HV-VPN

group-policy CH-GRP-RA internal
group-policy CH-GRP-RA attributes
 dns-server value <snip>
 vpn-idle-timeout 86400
 vpn-tunnel-protocol IPSec
 ip-comp enable
 pfs enable
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value CH-SPLITUNNEL-ACL
 default-domain value <snip>
 intercept-dhcp enable

tunnel-group CH-TNL-RA type remote-access
tunnel-group CH-TNL-RA general-attributes
 address-pool CH-POOL
 default-group-policy CH-GRP-RA
tunnel-group CH-TNL-RA ipsec-attributes
 pre-shared-key *


Thanks for any help.
ASKER CERTIFIED SOLUTION
Join our community to see this answer!
Unlock 1 Answer and 3 Comments.
Start Free Trial
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 3 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros