Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > PIX515 - VPN on logical interface

Reply
Thread Tools

PIX515 - VPN on logical interface

 
 
dominsz
Guest
Posts: n/a
 
      06-21-2006
I would like to create a site to site vpn between 2 location, lets call
them Site A and Site B. I set up on Site A an inside (ethernet 1) and
logical (also on ethernet 1) interfaces. Site B has only an inside
zone. Each office has a PIX 515 with version 6.3(4) running on it. I am
able to create tunnels so that inside A can access inside B (but I need
that logical interface of Site A could access inside B and vice versa)
.. I was trying also to establish tunnel between DMZ of Site A (ethernet
2 interface) and inside - but I am unable to create the funtionality
that I need. The following is what I would like to do.

VPN conectivity:

Logical interface (ethernet 1) of Site A can access inside of Site B
Inside of Site B can access logical interface (ethernet 1) of Site A

- OR - if above impossible

DMZ (ethernet 1) of Site A can access inside of Site B
Inside of Site B can access DMZ of Site A

Do I need any switch to do that with logical intf (it's vlan on pix of
course).
I have Netgear FSM726 - and I tried to filter this traffic but it
doesn't work.


My Config:

PIX (Version 6.3(4)) on SITE A:
---------------

interface ethernet0 auto
interface ethernet1 auto
interface ethernet1 vlan3 logical
interface ethernet2 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security40
nameif vlan3 vpnnet security95
enable password xxxxxxx encrypted
passwd xxxxxxxx encrypted
hostname SiteA
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 10.1.1.0 Net1
name 193.2.2.0 Net2
name 192.168.73.0 Net3
access-list outbound_nat0_acl permit ip Net2 255.255.255.0 Net3
255.255.255.0
access-list outside_cryptomap permit ip Net2 255.255.255.0 Net3
55.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside 192.168.1.52 255.255.255.0
ip address inside 10.1.1.1 255.255.255.0
no ip address dmz
ip address vpnnet 193.2.2.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 10.1.1.2 255.255.255.255 inside
pdm location Net3 255.255.255.0 outside
pdm history enable
arp timeout 14400
global (outside) 10 192.168.1.53
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
nat (vpnnet) 0 access-list outbound_nat0_acl
route outside 0.0.0.0 0.0.0.0 192.168.1.51 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
ntp server 11.11.11.40 source outside prefer
http server enable
http 10.1.1.2 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set vpnset esp-3des esp-md5-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap
crypto map outside_map 20 set peer 192.168.1.68
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 192.168.1.68 netmask 255.255.255.255
no-xauth no-config-mode
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
telnet 10.1.1.2 255.255.255.255 inside
telnet timeout 5
console timeout 0
dhcpd address 10.1.1.100-10.1.1.254 inside
dhcpd dns 192.168.1.107 192.168.1.108
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain domain.com
dhcpd enable inside
username admin password xxxXxxXXxx encrypted privilege 15
terminal width 80

PIX (Version 6.3(4)) on SITE B:
---------------

interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security40
enable password xxxxxxx encrypted
passwd xxxxxxxx encrypted
hostname SiteB
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 10.1.1.0 Net1
name 193.2.2.0 Net2
name 192.168.73.0 Net3
access-list outbound_nat0_acl permit ip Net3 255.255.255.0 Net2
255.255.255.0
access-list outside_cryptomap permit ip Net3 255.255.255.0 Net2
55.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside 192.168.1.68 255.255.255.0
ip address inside 192.168.73.1 255.255.255.0
no ip address dmz
ip audit info action alarm
ip audit attack action alarm
pdm location 10.1.1.2 255.255.255.255 inside
pdm location Net3 255.255.255.0 outside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (inside) 0 access-list outbound_nat0_acl
route outside 0.0.0.0 0.0.0.0 192.168.1.67 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
ntp server 11.11.11.40 source outside prefer
http server enable
http 192.167.73.2 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set vpnset esp-3des esp-md5-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap
crypto map outside_map 20 set peer 192.168.1.52
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 192.168.1.52 netmask 255.255.255.255
no-xauth no-config-mode
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
telnet timeout 5
ssh 192.168.1.52 255.255.255.0 outside
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 750
username admin password xxxXxxXXxx encrypted privilege 15
terminal width 80

Basically, I can connect from inside (Site A - 10.1.1.0) to inside
(Site B - 192.168.73.0) and ping any host (of course if I set up
tunneling between inside interfaces). But, what is the most important
for me (above config) I cannot ping host from 193.168.73.0 (Site B) in
193.2.2.0 (Site A). Even I cannot ping from any internal host/193.2.2.0
logical interface 193.2.2.1 on SiteA, but I can ping inside interface
10.1.1.1 from any host/10.1.1.0 - why?
I have checked all the cisco web site examples, I cannot find a single
example where they do something like that. Does anyone have an idea how
to configure this also that switch if important - or run it on
interface 2 (DMZ)?

Thanks very much in advance.

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
VPN site to site & Remote access VPN ( vpn client) over the same interface pasatealinux Cisco 1 12-17-2007 07:41 PM
PIX515: How can i add multible public networks to one interface? Marc Bauer Cisco 9 01-23-2007 07:13 AM
Re: PC behind PIX515 to Win2K VPN jif Cisco 2 04-01-2004 05:28 PM
VPN between WIN2K server and PIX515 INSIDE interface?? Eldridge Cisco 1 02-02-2004 07:48 AM
Need help with Pix515 VPN Andrea Cisco 0 01-12-2004 07:05 PM



Advertisments