Cisco VPN client access subnets connected by PIX vpn???

Discussion in 'Cisco' started by Oliver, Nov 11, 2003.

  1. Oliver

    Oliver Guest

    Hi All, have got a bit of a confusing situation here. I've got 2
    offices connected by PIX to PIX vpn, no problems there. I've also got
    remote users using Cisco VPN client that need to connect to either PIX
    and be able to access both offices? I can get the vpn client to
    connect to either PIX fine, and access the local network attached to
    the PIX they've connected to, but can't access the remote network
    connected (vpn) to the other PIX??? I'm sure it's an ACL issue, but
    can't spot it, an idea's much apprecitated. PIX config below (only
    the one side - I'll post the other if needed - public ip's changed):

    London PIX sh conf
    UKFW01# sh conf
    : Saved
    : Written by enable_15 at 14:57:51.352 UTC Sat Sep 27 2003
    PIX Version 6.3(2)
    interface ethernet0 auto
    interface ethernet1 100full
    interface ethernet2 auto
    interface ethernet3 auto shutdown
    interface ethernet4 auto shutdown
    interface ethernet5 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    nameif ethernet2 mdata security10
    nameif ethernet3 intf3 security15
    nameif ethernet4 intf4 security20
    nameif ethernet5 stateful-fo security25
    enable password wpxSxF1n3Y2zj8fG encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    hostname UKFW01
    domain-name acme.COM
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    no fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    name 192.168.50.0 acmeNY
    object-group service Netbios tcp
    description Ports for Netbios browsing
    port-object eq netbios-ssn
    access-list 101 permit ip 192.168.0.0 255.255.255.0 192.168.3.0
    255.255.255.0
    access-list 101 permit ip 192.168.0.0 255.255.255.0 acmeNY
    255.255.255.0
    access-list ACLout permit tcp any any eq 7891
    access-list ACLout permit tcp host 195.157.52.65 host 66.9.xxx.xxx eq
    4899
    access-list ACLout permit tcp host 167.206.66.66 host 66.9.xxx.xxx eq
    4899
    access-list ACLout permit tcp any host 66.9.xxx.xxx eq smtp
    access-list ACLout permit tcp any host 66.9.xxx.xxx eq www
    access-list MDataIn permit udp any any eq rip
    access-list MDataIn permit tcp any any range 8194 8294
    access-list MDataIn permit udp any any range 8194 8294
    access-list MDataIn permit udp any any range 48129 48192
    access-list MDataIn permit tcp any any range 1025 6000
    access-list outside_cryptomap_20 permit ip 192.168.0.0 255.255.255.0
    acmeNY 25
    5.255.255.0
    access-list acme_Remote_splitTunnelAcl permit ip 192.168.0.0
    255.255.255.0 any

    access-list acme_Remote_splitTunnelAcl permit ip acmeNY 255.255.255.0
    any
    pager lines 24
    logging buffered debugging
    mtu outside 1500
    mtu inside 1500
    mtu mdata 1500
    mtu intf3 1500
    mtu intf4 1500
    mtu stateful-fo 1500
    ip address outside 66.9.xxx.xxx 255.255.255.224
    ip address inside 192.168.0.1 255.255.255.0
    ip address mdata 192.168.5.1 255.255.255.0
    ip address intf3 127.0.0.1 255.255.255.255
    no ip address intf4
    ip address stateful-fo 192.168.10.1 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool ippool 192.168.3.1-192.168.3.254
    failover
    failover timeout 0:00:00
    failover poll 8
    failover ip address outside 66.9.xxx.xxx
    failover ip address inside 192.168.0.2
    failover ip address mdata 192.168.5.3
    no failover ip address intf3
    no failover ip address intf4
    failover ip address stateful-fo 192.168.10.2
    failover link stateful-fo
    pdm location 192.168.0.0 255.255.255.0 inside
    no pdm history enable
    arp timeout 14400
    global (outside) 1 66.9.xxx.xxx
    global (mdata) 1 192.168.5.200-192.168.5.250
    global (mdata) 1 192.168.5.251
    nat (inside) 0 access-list 101
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    nat (mdata) 1 0.0.0.0 0.0.0.0 0 0
    static (inside,outside) tcp 66.9.xxx.xxx smtp 192.168.0.12 smtp
    netmask 255.255.2
    55.255 0 0
    static (inside,outside) tcp 66.9.xxx.xxx www 192.168.0.12 www netmask
    255.255.255
    ..255 0 0
    static (inside,outside) 66.9.xxx.xxx 192.168.0.13 netmask
    255.255.255.255 0 0
    access-group ACLout in interface outside
    access-group MDataIn in interface mdata
    route outside 0.0.0.0 0.0.0.0 66.9.195.67 1
    route mdata 205.183.246.0 255.255.255.0 192.168.5.2 1
    route mdata 208.134.161.0 255.255.255.0 192.168.5.2 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server RADIUS (inside) host 192.168.0.11 password timeout 10
    aaa-server LOCAL protocol local
    http server enable
    http 192.168.0.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    crypto ipsec transform-set Satset esp-des esp-md5-hmac
    crypto dynamic-map dynmap 10 set transform-set Satset
    crypto map Satmap 20 ipsec-isakmp
    crypto map Satmap 20 match address outside_cryptomap_20
    crypto map Satmap 20 set peer 65.206.57.26
    crypto map Satmap 20 set transform-set Satset
    crypto map Satmap 65535 ipsec-isakmp dynamic dynmap
    crypto map Satmap interface outside
    isakmp enable outside
    isakmp key ******** address 65.206.57.26 netmask 255.255.255.255
    no-xauth no-con
    fig-mode
    isakmp identity address
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption des
    isakmp policy 10 hash md5
    isakmp policy 10 group 2
    isakmp policy 10 lifetime 86400
    vpngroup acme_Remote address-pool ippool
    vpngroup acme_Remote dns-server 192.168.0.11 158.43.128.1
    vpngroup acme_Remote wins-server 192.168.0.11
    vpngroup acme_Remote default-domain acme.internal
    vpngroup acme_Remote split-tunnel 101
    vpngroup acme_Remote split-dns acme.internal newyork.acme.internal
    vpngroup acme_Remote idle-time 43200
    vpngroup acme_Remote password ********
    vpngroup idle-time idle-time 1800
    telnet 192.168.0.0 255.255.255.0 inside
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    terminal width 80
    Cryptochecksum:9f1d94ec7c4a28b59c630a2bfc86a63c
    UKFW01#
     
    Oliver, Nov 11, 2003
    #1
    1. Advertising

  2. In article <>,
    Oliver <> wrote:
    :Hi All, have got a bit of a confusing situation here. I've got 2
    :eek:ffices connected by PIX to PIX vpn, no problems there. I've also got
    :remote users using Cisco VPN client that need to connect to either PIX
    :and be able to access both offices? I can get the vpn client to
    :connect to either PIX fine, and access the local network attached to
    :the PIX they've connected to, but can't access the remote network
    :connected (vpn) to the other PIX??? I'm sure it's an ACL issue, but
    :can't spot it, an idea's much apprecitated.

    :crypto map Satmap interface outside
    :isakmp enable outside

    It isn't an ACL issue.

    You only have isakmp active on your outside interface, so your
    PIX to PIX vpn and your VPN client must both be coming in on that
    same interface (instead of one coming in on, say, the mdata interface.)

    What you are running into is that the PIX absolutely will not route
    packets back out the same interface they came in on, even if they
    arrived in an IPSec tunnel the first time around.

    VPN clients are coming from the Internet and hitting the outside
    interface, being decoded, and from there it would be established
    that the routing would have to be out the outside interface via
    the IPSec tunnel to the second PIX. But the PIX doesn't allow that.
    The packet would be coming from a security0 interface and it would
    be going out a security0 interface, and the PIX has a strict rule
    that packets between interfaces of the same security level are dropped.


    In order to do what you want, the PIX-to-PIX VPN must be in a
    different interface (physical or logical) than the VPN client
    comes in on. If you can subnet your external IP address space and your
    router either has another ethernet connection or supports 802.1Q,
    then you can create the kind of setup you want.


    By the way, you should upgrade to 6.3(3) from 6.3(2),
    as 6.3(2) has a nasty problem with not saving some kinds of
    translations in the saved configuration.
    --
    Will you ask your master if he wants to join my court at Camelot?!
     
    Walter Roberson, Nov 11, 2003
    #2
    1. Advertising

  3. Oliver

    Oliver Guest

    Thanks for the post, finally makes sense... It's going to take a bit
    of organisation to make this kind of change, so probably won't be able
    to do it for a week or so, will let you know how it works out.
    Oliver

    -cnrc.gc.ca (Walter Roberson) wrote in message news:<bor33o$oj6$>...
    > In article <>,
    > Oliver <> wrote:
    > :Hi All, have got a bit of a confusing situation here. I've got 2
    > :eek:ffices connected by PIX to PIX vpn, no problems there. I've also got
    > :remote users using Cisco VPN client that need to connect to either PIX
    > :and be able to access both offices? I can get the vpn client to
    > :connect to either PIX fine, and access the local network attached to
    > :the PIX they've connected to, but can't access the remote network
    > :connected (vpn) to the other PIX??? I'm sure it's an ACL issue, but
    > :can't spot it, an idea's much apprecitated.
    >
    > :crypto map Satmap interface outside
    > :isakmp enable outside
    >
    > It isn't an ACL issue.
    >
    > You only have isakmp active on your outside interface, so your
    > PIX to PIX vpn and your VPN client must both be coming in on that
    > same interface (instead of one coming in on, say, the mdata interface.)
    >
    > What you are running into is that the PIX absolutely will not route
    > packets back out the same interface they came in on, even if they
    > arrived in an IPSec tunnel the first time around.
    >
    > VPN clients are coming from the Internet and hitting the outside
    > interface, being decoded, and from there it would be established
    > that the routing would have to be out the outside interface via
    > the IPSec tunnel to the second PIX. But the PIX doesn't allow that.
    > The packet would be coming from a security0 interface and it would
    > be going out a security0 interface, and the PIX has a strict rule
    > that packets between interfaces of the same security level are dropped.
    >
    >
    > In order to do what you want, the PIX-to-PIX VPN must be in a
    > different interface (physical or logical) than the VPN client
    > comes in on. If you can subnet your external IP address space and your
    > router either has another ethernet connection or supports 802.1Q,
    > then you can create the kind of setup you want.
    >
    >
    > By the way, you should upgrade to 6.3(3) from 6.3(2),
    > as 6.3(2) has a nasty problem with not saving some kinds of
    > translations in the saved configuration.
     
    Oliver, Nov 13, 2003
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Scott Townsend
    Replies:
    1
    Views:
    914
  2. John Mason Jr
    Replies:
    0
    Views:
    490
    John Mason Jr
    Jan 24, 2006
  3. masterbullfrog
    Replies:
    2
    Views:
    552
  4. Replies:
    4
    Views:
    1,457
    Trendkill
    Aug 29, 2008
  5. BF
    Replies:
    2
    Views:
    779
Loading...

Share This Page