Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Again: Pix VPN & Routing

Reply
Thread Tools

Again: Pix VPN & Routing

 
 
Christoph Gartmann
Guest
Posts: n/a
 
      08-29-2005
Hello,

this is what we would like to achieve:

Road-Warrior <--- Internet ---> Pix <--- Router ---> LAN

Road-Warrior uses Cisco's VPN client. All traffic from Road-Warrior should
pass through the inside interface of the Pix towards the LAN, no matter whether
it is directed to our LAN or towards the Internet. Traffic arriving on the
inside interface directed to the "address pool" IP address of Road-Warrior
should of course go back through the outside interface into the VPN tunnel.

The following is the relevant part of the config. The tunnel is established,
the user authenticated, Road-Warrior gets the proper IP address from the pool
but is unable to reach anything on the LAN or further on.


interface Ethernet0
nameif outside
security-level 0
ip address 195.37.33.1 255.255.255.0
!
interface Ethernet1
nameif inside
security-level 100
ip address 192.168.1.38 255.255.255.0
!
access-list aclinside extended permit ip any host 10.1.5.79
access-list testlist extended permit ip any any
ip local pool adpool 10.1.5.79 mask 255.255.0.0
nat-control
nat (inside) 0 access-list aclinside
route outside 0.0.0.0 0.0.0.0 195.37.33.254 1
route inside 0.0.0.0 0.0.0.0 192.168.1.254 tunneled
aaa-server RADIUS protocol radius
aaa-server RADIUS host 192.129.30.6
timeout 5
key xxxxxx
group-policy mpivpn internal
group-policy mpivpn attributes
banner value Welcome to MPIIB-VPN
vpn-idle-timeout 30
default-domain value immunbio.mpg.de
user-authentication enable
client-access-rule none
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address testlist
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 20 set reverse-route
crypto map outside_map 20 match address testlist
crypto map outside_map 20 set transform-set ESP-3DES-MD5 ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 40 authentication pre-share
isakmp policy 40 encryption 3des
isakmp policy 40 hash md5
isakmp policy 40 group 2
isakmp policy 40 lifetime 86400
isakmp policy 65535 authentication pre-share
isakmp policy 65535 encryption 3des
isakmp policy 65535 hash sha
isakmp policy 65535 group 2
isakmp policy 65535 lifetime 86400
tunnel-group DefaultRAGroup type ipsec-ra
tunnel-group DefaultRAGroup general-attributes
authentication-server-group (outside) RADIUS
tunnel-group mpivpn type ipsec-ra
tunnel-group mpivpn general-attributes
address-pool adpool
authentication-server-group (outside) RADIUS
default-group-policy mpivpn
tunnel-group mpivpn ipsec-attributes
pre-shared-key defcon13
authorization-required
tunnel-group authentication type ipsec-ra
tunnel-group authentication general-attributes
authentication-server-group (outside) RADIUS
default-group-policy authentication
!
: end


What is wrong here?

Regards,
Christoph Gartmann

--
Max-Planck-Institut fuer Phone : +49-761-5108-464 Fax: -452
Immunbiologie
Postfach 1169 Internet: gartmann@immunbio dot mpg dot de
D-79011 Freiburg, Germany
http://www.immunbio.mpg.de/home/menue.html
 
Reply With Quote
 
 
 
 
Megane
Guest
Posts: n/a
 
      08-30-2005
isakmp nat-traversal 20

regards
Megane

"Christoph Gartmann" <(E-Mail Removed)> wrote in message
news:devd18$sg8$(E-Mail Removed)...
> Hello,
>
> this is what we would like to achieve:
>
> Road-Warrior <--- Internet ---> Pix <--- Router ---> LAN
>
> Road-Warrior uses Cisco's VPN client. All traffic from Road-Warrior should
> pass through the inside interface of the Pix towards the LAN, no matter
> whether
> it is directed to our LAN or towards the Internet. Traffic arriving on the
> inside interface directed to the "address pool" IP address of Road-Warrior
> should of course go back through the outside interface into the VPN
> tunnel.
>
> The following is the relevant part of the config. The tunnel is
> established,
> the user authenticated, Road-Warrior gets the proper IP address from the
> pool
> but is unable to reach anything on the LAN or further on.
>
>
> interface Ethernet0
> nameif outside
> security-level 0
> ip address 195.37.33.1 255.255.255.0
> !
> interface Ethernet1
> nameif inside
> security-level 100
> ip address 192.168.1.38 255.255.255.0
> !
> access-list aclinside extended permit ip any host 10.1.5.79
> access-list testlist extended permit ip any any
> ip local pool adpool 10.1.5.79 mask 255.255.0.0
> nat-control
> nat (inside) 0 access-list aclinside
> route outside 0.0.0.0 0.0.0.0 195.37.33.254 1
> route inside 0.0.0.0 0.0.0.0 192.168.1.254 tunneled
> aaa-server RADIUS protocol radius
> aaa-server RADIUS host 192.129.30.6
> timeout 5
> key xxxxxx
> group-policy mpivpn internal
> group-policy mpivpn attributes
> banner value Welcome to MPIIB-VPN
> vpn-idle-timeout 30
> default-domain value immunbio.mpg.de
> user-authentication enable
> client-access-rule none
> crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
> crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
> crypto dynamic-map outside_dyn_map 20 match address testlist
> crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
> crypto dynamic-map outside_dyn_map 20 set reverse-route
> crypto map outside_map 20 match address testlist
> crypto map outside_map 20 set transform-set ESP-3DES-MD5 ESP-DES-MD5
> crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
> crypto map outside_map interface outside
> isakmp enable outside
> isakmp policy 40 authentication pre-share
> isakmp policy 40 encryption 3des
> isakmp policy 40 hash md5
> isakmp policy 40 group 2
> isakmp policy 40 lifetime 86400
> isakmp policy 65535 authentication pre-share
> isakmp policy 65535 encryption 3des
> isakmp policy 65535 hash sha
> isakmp policy 65535 group 2
> isakmp policy 65535 lifetime 86400
> tunnel-group DefaultRAGroup type ipsec-ra
> tunnel-group DefaultRAGroup general-attributes
> authentication-server-group (outside) RADIUS
> tunnel-group mpivpn type ipsec-ra
> tunnel-group mpivpn general-attributes
> address-pool adpool
> authentication-server-group (outside) RADIUS
> default-group-policy mpivpn
> tunnel-group mpivpn ipsec-attributes
> pre-shared-key defcon13
> authorization-required
> tunnel-group authentication type ipsec-ra
> tunnel-group authentication general-attributes
> authentication-server-group (outside) RADIUS
> default-group-policy authentication
> !
> : end
>
>
> What is wrong here?
>
> Regards,
> Christoph Gartmann
>
> --
> Max-Planck-Institut fuer Phone : +49-761-5108-464 Fax: -452
> Immunbiologie
> Postfach 1169 Internet: gartmann@immunbio dot mpg dot de
> D-79011 Freiburg, Germany
> http://www.immunbio.mpg.de/home/menue.html



 
Reply With Quote
 
 
 
 
Christoph Gartmann
Guest
Posts: n/a
 
      08-30-2005
In article <(E-Mail Removed)>, "Megane" <(E-Mail Removed)> writes:
>isakmp nat-traversal 20
>


This helped partially. Now Road-Warrior is able to reach hosts in the LAN or
those nets that have a dedicated route towards inside. But still traffic from
Road-Warrior to hosts that are not part of our LAN go directly through the
outside interface and not through the inside interface.

Thus is there a way for some sort of policy routing in the Pix, e.g. everything
originating from address 10.1.5.79 (= addresses from the local pool) should be
routed towards the inside interface?

Regards,
Christoph Gartmann

--
Max-Planck-Institut fuer Phone : +49-761-5108-464 Fax: -452
Immunbiologie
Postfach 1169 Internet: gartmann@immunbio dot mpg dot de
D-79011 Freiburg, Germany
http://www.immunbio.mpg.de/home/menue.html
 
Reply With Quote
 
Erik Tamminga
Guest
Posts: n/a
 
      09-03-2005
Hi,

Routing of traffic on the pix adheres to the routes found in the routing
table.
So if you'd like traffic to certain networks to go out the inside interface,
add routes for these nets to the routing table.
As far as I know there is no option to route based on source address on the
PIX. (as to policy routing on IOS).

Erik


"Christoph Gartmann" <(E-Mail Removed)> wrote in message
news:df156k$l9h$(E-Mail Removed)...
> In article <(E-Mail Removed)>, "Megane"
> <(E-Mail Removed)> writes:
>>isakmp nat-traversal 20
>>

>
> This helped partially. Now Road-Warrior is able to reach hosts in the LAN
> or
> those nets that have a dedicated route towards inside. But still traffic
> from
> Road-Warrior to hosts that are not part of our LAN go directly through the
> outside interface and not through the inside interface.
>
> Thus is there a way for some sort of policy routing in the Pix, e.g.
> everything
> originating from address 10.1.5.79 (= addresses from the local pool)
> should be
> routed towards the inside interface?
>
> Regards,
> Christoph Gartmann
>
> --
> Max-Planck-Institut fuer Phone : +49-761-5108-464 Fax: -452
> Immunbiologie
> Postfach 1169 Internet: gartmann@immunbio dot mpg dot de
> D-79011 Freiburg, Germany
> http://www.immunbio.mpg.de/home/menue.html



 
Reply With Quote
 
Walter Roberson
Guest
Posts: n/a
 
      09-04-2005
In article <devd18$sg8$(E-Mail Removed)>,
Christoph Gartmann <(E-Mail Removed)> wrote:
:this is what we would like to achieve:

: Road-Warrior <--- Internet ---> Pix <--- Router ---> LAN

:Road-Warrior uses Cisco's VPN client. All traffic from Road-Warrior should
ass through the inside interface of the Pix towards the LAN, no matter whether
:it is directed to our LAN or towards the Internet.

What is the LAN going to do with the traffic if it is addressed towards
the Internet?


:interface Ethernet0
: nameif outside
: security-level 0
: ip address 195.37.33.1 255.255.255.0

That must be PIX 7.0. The constraints changed noticably between 6.3
and 7.0.
--
The rule of thumb for speed is:

1. If it doesn't work then speed doesn't matter. -- Christian Bau
 
Reply With Quote
 
Christoph Gartmann
Guest
Posts: n/a
 
      09-07-2005
In article <dfdhqf$ne1$(E-Mail Removed)>, http://www.velocityreviews.com/forums/(E-Mail Removed)-cnrc.gc.ca (Walter Roberson) writes:
>In article <devd18$sg8$(E-Mail Removed)>,
>Christoph Gartmann <(E-Mail Removed)> wrote:
>:this is what we would like to achieve:
>
>: Road-Warrior <--- Internet ---> Pix <--- Router ---> LAN
>
>:Road-Warrior uses Cisco's VPN client. All traffic from Road-Warrior should
>ass through the inside interface of the Pix towards the LAN, no matter whether
>:it is directed to our LAN or towards the Internet.
>
>What is the LAN going to do with the traffic if it is addressed towards
>the Internet?


Route it to a different Pix and then to the Internet via a separate channel.

>
>:interface Ethernet0
>: nameif outside
>: security-level 0
>: ip address 195.37.33.1 255.255.255.0
>
>That must be PIX 7.0. The constraints changed noticably between 6.3
>and 7.0.


Yes, it is 7.0.2.

Regards,
Christoph Gartmann

--
Max-Planck-Institut fuer Phone : +49-761-5108-464 Fax: -452
Immunbiologie
Postfach 1169 Internet: gartmann@immunbio dot mpg dot de
D-79011 Freiburg, Germany
http://www.immunbio.mpg.de/home/menue.html
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
VPN PIX-_static PIX ; PIX-dynamic_PIX ; VPN Client Svenn Cisco 3 03-13-2006 09:25 AM
PIX-to-PIX vpn + remote Access VPN not working Marko Uusitalo Cisco 1 04-11-2005 12:45 PM
mixing pix-to-pix vpn and pptp-dial-in-vpn on pix501 Tom Cisco 4 11-17-2004 02:18 PM
PIX to PIX VPN and VPN Client to PIX Config Example? GVB Cisco 1 02-06-2004 07:44 PM
PIX to PIX to PIX meshed VPN Richard Cisco 1 11-15-2003 07:41 AM



Advertisments