Again: Pix VPN & Routing

Discussion in 'Cisco' started by Christoph Gartmann, Aug 29, 2005.

  1. Hello,

    this is what we would like to achieve:

    Road-Warrior <--- Internet ---> Pix <--- Router ---> LAN

    Road-Warrior uses Cisco's VPN client. All traffic from Road-Warrior should
    pass through the inside interface of the Pix towards the LAN, no matter whether
    it is directed to our LAN or towards the Internet. Traffic arriving on the
    inside interface directed to the "address pool" IP address of Road-Warrior
    should of course go back through the outside interface into the VPN tunnel.

    The following is the relevant part of the config. The tunnel is established,
    the user authenticated, Road-Warrior gets the proper IP address from the pool
    but is unable to reach anything on the LAN or further on.


    interface Ethernet0
    nameif outside
    security-level 0
    ip address 195.37.33.1 255.255.255.0
    !
    interface Ethernet1
    nameif inside
    security-level 100
    ip address 192.168.1.38 255.255.255.0
    !
    access-list aclinside extended permit ip any host 10.1.5.79
    access-list testlist extended permit ip any any
    ip local pool adpool 10.1.5.79 mask 255.255.0.0
    nat-control
    nat (inside) 0 access-list aclinside
    route outside 0.0.0.0 0.0.0.0 195.37.33.254 1
    route inside 0.0.0.0 0.0.0.0 192.168.1.254 tunneled
    aaa-server RADIUS protocol radius
    aaa-server RADIUS host 192.129.30.6
    timeout 5
    key xxxxxx
    group-policy mpivpn internal
    group-policy mpivpn attributes
    banner value Welcome to MPIIB-VPN
    vpn-idle-timeout 30
    default-domain value immunbio.mpg.de
    user-authentication enable
    client-access-rule none
    crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto dynamic-map outside_dyn_map 20 match address testlist
    crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
    crypto dynamic-map outside_dyn_map 20 set reverse-route
    crypto map outside_map 20 match address testlist
    crypto map outside_map 20 set transform-set ESP-3DES-MD5 ESP-DES-MD5
    crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
    crypto map outside_map interface outside
    isakmp enable outside
    isakmp policy 40 authentication pre-share
    isakmp policy 40 encryption 3des
    isakmp policy 40 hash md5
    isakmp policy 40 group 2
    isakmp policy 40 lifetime 86400
    isakmp policy 65535 authentication pre-share
    isakmp policy 65535 encryption 3des
    isakmp policy 65535 hash sha
    isakmp policy 65535 group 2
    isakmp policy 65535 lifetime 86400
    tunnel-group DefaultRAGroup type ipsec-ra
    tunnel-group DefaultRAGroup general-attributes
    authentication-server-group (outside) RADIUS
    tunnel-group mpivpn type ipsec-ra
    tunnel-group mpivpn general-attributes
    address-pool adpool
    authentication-server-group (outside) RADIUS
    default-group-policy mpivpn
    tunnel-group mpivpn ipsec-attributes
    pre-shared-key defcon13
    authorization-required
    tunnel-group authentication type ipsec-ra
    tunnel-group authentication general-attributes
    authentication-server-group (outside) RADIUS
    default-group-policy authentication
    !
    : end


    What is wrong here?

    Regards,
    Christoph Gartmann

    --
    Max-Planck-Institut fuer Phone : +49-761-5108-464 Fax: -452
    Immunbiologie
    Postfach 1169 Internet: gartmann@immunbio dot mpg dot de
    D-79011 Freiburg, Germany
    http://www.immunbio.mpg.de/home/menue.html
    Christoph Gartmann, Aug 29, 2005
    #1
    1. Advertising

  2. Christoph Gartmann

    Megane Guest

    isakmp nat-traversal 20

    regards
    Megane

    "Christoph Gartmann" <> wrote in message
    news:devd18$sg8$...
    > Hello,
    >
    > this is what we would like to achieve:
    >
    > Road-Warrior <--- Internet ---> Pix <--- Router ---> LAN
    >
    > Road-Warrior uses Cisco's VPN client. All traffic from Road-Warrior should
    > pass through the inside interface of the Pix towards the LAN, no matter
    > whether
    > it is directed to our LAN or towards the Internet. Traffic arriving on the
    > inside interface directed to the "address pool" IP address of Road-Warrior
    > should of course go back through the outside interface into the VPN
    > tunnel.
    >
    > The following is the relevant part of the config. The tunnel is
    > established,
    > the user authenticated, Road-Warrior gets the proper IP address from the
    > pool
    > but is unable to reach anything on the LAN or further on.
    >
    >
    > interface Ethernet0
    > nameif outside
    > security-level 0
    > ip address 195.37.33.1 255.255.255.0
    > !
    > interface Ethernet1
    > nameif inside
    > security-level 100
    > ip address 192.168.1.38 255.255.255.0
    > !
    > access-list aclinside extended permit ip any host 10.1.5.79
    > access-list testlist extended permit ip any any
    > ip local pool adpool 10.1.5.79 mask 255.255.0.0
    > nat-control
    > nat (inside) 0 access-list aclinside
    > route outside 0.0.0.0 0.0.0.0 195.37.33.254 1
    > route inside 0.0.0.0 0.0.0.0 192.168.1.254 tunneled
    > aaa-server RADIUS protocol radius
    > aaa-server RADIUS host 192.129.30.6
    > timeout 5
    > key xxxxxx
    > group-policy mpivpn internal
    > group-policy mpivpn attributes
    > banner value Welcome to MPIIB-VPN
    > vpn-idle-timeout 30
    > default-domain value immunbio.mpg.de
    > user-authentication enable
    > client-access-rule none
    > crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    > crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    > crypto dynamic-map outside_dyn_map 20 match address testlist
    > crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
    > crypto dynamic-map outside_dyn_map 20 set reverse-route
    > crypto map outside_map 20 match address testlist
    > crypto map outside_map 20 set transform-set ESP-3DES-MD5 ESP-DES-MD5
    > crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
    > crypto map outside_map interface outside
    > isakmp enable outside
    > isakmp policy 40 authentication pre-share
    > isakmp policy 40 encryption 3des
    > isakmp policy 40 hash md5
    > isakmp policy 40 group 2
    > isakmp policy 40 lifetime 86400
    > isakmp policy 65535 authentication pre-share
    > isakmp policy 65535 encryption 3des
    > isakmp policy 65535 hash sha
    > isakmp policy 65535 group 2
    > isakmp policy 65535 lifetime 86400
    > tunnel-group DefaultRAGroup type ipsec-ra
    > tunnel-group DefaultRAGroup general-attributes
    > authentication-server-group (outside) RADIUS
    > tunnel-group mpivpn type ipsec-ra
    > tunnel-group mpivpn general-attributes
    > address-pool adpool
    > authentication-server-group (outside) RADIUS
    > default-group-policy mpivpn
    > tunnel-group mpivpn ipsec-attributes
    > pre-shared-key defcon13
    > authorization-required
    > tunnel-group authentication type ipsec-ra
    > tunnel-group authentication general-attributes
    > authentication-server-group (outside) RADIUS
    > default-group-policy authentication
    > !
    > : end
    >
    >
    > What is wrong here?
    >
    > Regards,
    > Christoph Gartmann
    >
    > --
    > Max-Planck-Institut fuer Phone : +49-761-5108-464 Fax: -452
    > Immunbiologie
    > Postfach 1169 Internet: gartmann@immunbio dot mpg dot de
    > D-79011 Freiburg, Germany
    > http://www.immunbio.mpg.de/home/menue.html
    Megane, Aug 30, 2005
    #2
    1. Advertising

  3. In article <>, "Megane" <> writes:
    >isakmp nat-traversal 20
    >


    This helped partially. Now Road-Warrior is able to reach hosts in the LAN or
    those nets that have a dedicated route towards inside. But still traffic from
    Road-Warrior to hosts that are not part of our LAN go directly through the
    outside interface and not through the inside interface.

    Thus is there a way for some sort of policy routing in the Pix, e.g. everything
    originating from address 10.1.5.79 (= addresses from the local pool) should be
    routed towards the inside interface?

    Regards,
    Christoph Gartmann

    --
    Max-Planck-Institut fuer Phone : +49-761-5108-464 Fax: -452
    Immunbiologie
    Postfach 1169 Internet: gartmann@immunbio dot mpg dot de
    D-79011 Freiburg, Germany
    http://www.immunbio.mpg.de/home/menue.html
    Christoph Gartmann, Aug 30, 2005
    #3
  4. Hi,

    Routing of traffic on the pix adheres to the routes found in the routing
    table.
    So if you'd like traffic to certain networks to go out the inside interface,
    add routes for these nets to the routing table.
    As far as I know there is no option to route based on source address on the
    PIX. (as to policy routing on IOS).

    Erik


    "Christoph Gartmann" <> wrote in message
    news:df156k$l9h$...
    > In article <>, "Megane"
    > <> writes:
    >>isakmp nat-traversal 20
    >>

    >
    > This helped partially. Now Road-Warrior is able to reach hosts in the LAN
    > or
    > those nets that have a dedicated route towards inside. But still traffic
    > from
    > Road-Warrior to hosts that are not part of our LAN go directly through the
    > outside interface and not through the inside interface.
    >
    > Thus is there a way for some sort of policy routing in the Pix, e.g.
    > everything
    > originating from address 10.1.5.79 (= addresses from the local pool)
    > should be
    > routed towards the inside interface?
    >
    > Regards,
    > Christoph Gartmann
    >
    > --
    > Max-Planck-Institut fuer Phone : +49-761-5108-464 Fax: -452
    > Immunbiologie
    > Postfach 1169 Internet: gartmann@immunbio dot mpg dot de
    > D-79011 Freiburg, Germany
    > http://www.immunbio.mpg.de/home/menue.html
    Erik Tamminga, Sep 3, 2005
    #4
  5. In article <devd18$sg8$>,
    Christoph Gartmann <> wrote:
    :this is what we would like to achieve:

    : Road-Warrior <--- Internet ---> Pix <--- Router ---> LAN

    :Road-Warrior uses Cisco's VPN client. All traffic from Road-Warrior should
    :pass through the inside interface of the Pix towards the LAN, no matter whether
    :it is directed to our LAN or towards the Internet.

    What is the LAN going to do with the traffic if it is addressed towards
    the Internet?


    :interface Ethernet0
    : nameif outside
    : security-level 0
    : ip address 195.37.33.1 255.255.255.0

    That must be PIX 7.0. The constraints changed noticably between 6.3
    and 7.0.
    --
    The rule of thumb for speed is:

    1. If it doesn't work then speed doesn't matter. -- Christian Bau
    Walter Roberson, Sep 4, 2005
    #5
  6. In article <dfdhqf$ne1$>, -cnrc.gc.ca (Walter Roberson) writes:
    >In article <devd18$sg8$>,
    >Christoph Gartmann <> wrote:
    >:this is what we would like to achieve:
    >
    >: Road-Warrior <--- Internet ---> Pix <--- Router ---> LAN
    >
    >:Road-Warrior uses Cisco's VPN client. All traffic from Road-Warrior should
    >:pass through the inside interface of the Pix towards the LAN, no matter whether
    >:it is directed to our LAN or towards the Internet.
    >
    >What is the LAN going to do with the traffic if it is addressed towards
    >the Internet?


    Route it to a different Pix and then to the Internet via a separate channel.

    >
    >:interface Ethernet0
    >: nameif outside
    >: security-level 0
    >: ip address 195.37.33.1 255.255.255.0
    >
    >That must be PIX 7.0. The constraints changed noticably between 6.3
    >and 7.0.


    Yes, it is 7.0.2.

    Regards,
    Christoph Gartmann

    --
    Max-Planck-Institut fuer Phone : +49-761-5108-464 Fax: -452
    Immunbiologie
    Postfach 1169 Internet: gartmann@immunbio dot mpg dot de
    D-79011 Freiburg, Germany
    http://www.immunbio.mpg.de/home/menue.html
    Christoph Gartmann, Sep 7, 2005
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Richard

    PIX to PIX to PIX meshed VPN

    Richard, Nov 13, 2003, in forum: Cisco
    Replies:
    1
    Views:
    597
    Richard
    Nov 15, 2003
  2. GVB
    Replies:
    1
    Views:
    2,791
    Martin Bilgrav
    Feb 6, 2004
  3. Tom
    Replies:
    4
    Views:
    663
  4. Marko Uusitalo
    Replies:
    1
    Views:
    1,499
    Frank Durham
    Apr 11, 2005
  5. Svenn
    Replies:
    3
    Views:
    721
    Svenn
    Mar 13, 2006
Loading...

Share This Page