Guru Help?

Discussion in 'Cisco' started by jason.nichols@derwent.co.uk, Jun 2, 2005.

  1. Guest

    Hi all,

    I have a Site-to-Site VPN beween a PIX and CheckPoint, all is good.
    I have now started to office VPN access via the PIX to remote users
    (via Cisco VPN CLient 3.x).
    What I am trying to do is get the remote users to route via the PIX to
    the network ranges that the local office can reach on the CP
    (ie route to the PIX then via the Site-to-Site and on)

    I cannot seem the get the last part working I am getting Deny (no
    xlate) errors. Below is my config if needed.

    PIX Version 6.3(3)
    interface ethernet0 auto
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password 8Ry2YjIyt7RRXU24 encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    hostname pix
    domain-name liquent.com
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    name 10.0.0.0 TAN-Access
    access-list inside_outbound_nat0_acl permit ip 10.228.200.0
    255.255.255.0 TAN-Access 255.0.0.0
    access-list inside_outbound_nat0_acl permit ip TAN-Access
    255.255.255.192 10.228.201.0 255.255.255.0
    access-list outside_cryptomap_20 permit ip 10.228.200.0 255.255.255.0
    TAN-Access 255.0.0.0
    access-list outside_cryptomap_dyn_20 permit ip any 10.228.201.0
    255.255.255.0
    access-list outside_inbound_nat0_acl permit ip TAN-Access 255.0.0.0
    10.228.200.0 255.255.255.0
    access-list liquentremotevpn_splitTunnelAcl permit ip TAN-Access
    255.0.0.0 any
    pager lines 24
    logging on
    logging console debugging
    logging monitor debugging
    mtu outside 1500
    mtu inside 1500
    ip address outside x.x.x.x 255.255.255.192
    ip address inside 10.228.200.1 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool vpnippool1 10.228.201.1-10.228.201.128
    arp timeout 14400
    global (outside) 10 interface
    nat (outside) 0 access-list outside_inbound_nat0_acl outside
    nat (inside) 0 access-list inside_outbound_nat0_acl
    nat (inside) 10 0.0.0.0 0.0.0.0 0 0
    route outside 0.0.0.0 0.0.0.0 217.150.110.193 1
    route inside TAN-Access 255.255.255.0 10.228.200.254 0
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    aaa authentication ssh console LOCAL
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto dynamic-map outside_dyn_map 20 match address
    outside_cryptomap_dyn_20
    crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
    crypto map outside_map 20 ipsec-isakmp
    crypto map outside_map 20 match address outside_cryptomap_20
    crypto map outside_map 20 set pfs group2
    crypto map outside_map 20 set peer x.x.x.x
    crypto map outside_map 20 set transform-set ESP-3DES-MD5
    crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
    crypto map outside_map interface outside
    isakmp enable outside
    isakmp key ******** address x.x.x.x netmask 255.255.255.255 no-xauth
    no-config-mode
    isakmp policy 20 authentication pre-share
    isakmp policy 20 encryption 3des
    isakmp policy 20 hash md5
    isakmp policy 20 group 2
    isakmp policy 20 lifetime 86400
    vpngroup liquentremotevpn address-pool vpnippool1
    vpngroup liquentremotevpn dns-server x.x.x.x
    vpngroup liquentremotevpn default-domain x.com
    vpngroup liquentremotevpn split-tunnel liquentremotevpn_splitTunnelAcl
    vpngroup liquentremotevpn split-dns x.com
    vpngroup liquentremotevpn pfs
    vpngroup liquentremotevpn idle-time 1800
    vpngroup liquentremotevpn password ********
    telnet 10.228.5.201 255.255.255.255 outside
    telnet 10.228.200.0 255.255.255.0 inside
    telnet timeout 5
    ssh 10.228.5.201 255.255.255.255 outside
    ssh 10.228.5.0 255.255.255.0 outside
    ssh 0.0.0.0 0.0.0.0 outside
    ssh 10.228.5.0 255.255.255.0 inside
    ssh 0.0.0.0 0.0.0.0 inside
    ssh timeout 5
    management-access inside
    console timeout 0
    terminal width 80

    Thanks
    Jason
     
    , Jun 2, 2005
    #1
    1. Advertising

  2. In article <>,
    <> wrote:
    :I have a Site-to-Site VPN beween a PIX and CheckPoint, all is good.
    :I have now started to office VPN access via the PIX to remote users
    :(via Cisco VPN CLient 3.x).
    :What I am trying to do is get the remote users to route via the PIX to
    :the network ranges that the local office can reach on the CP
    :(ie route to the PIX then via the Site-to-Site and on)

    :pIX Version 6.3(3)

    You can't do that will that software release.

    :interface ethernet0 auto
    :interface ethernet1 100full

    That's a PIX 501, right?

    If you had a PIX 515/515E, 525, or 535, then you could do what
    you want to do with the PIX 7.0(1) software release. However, no
    formal announcement has been made as to when (if ever) PIX 7.x will
    be made available on the PIX 501 or 506/506E. [The 520 will not
    be supported at all.]

    With a PIX 501 you need routing assistance from a second device
    [which could be a second PIX 501.]

    --
    Entropy is the logarithm of probability -- Boltzmann
     
    Walter Roberson, Jun 2, 2005
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Phillip Windell
    Replies:
    0
    Views:
    446
    Phillip Windell
    Feb 6, 2004
  2. morhenRaxx
    Replies:
    7
    Views:
    2,394
    morhenRaxx
    Oct 31, 2003
  3. Dalesgate

    Help required from Olympus guru...

    Dalesgate, Jan 20, 2004, in forum: Digital Photography
    Replies:
    2
    Views:
    319
    Dalesgate
    Jan 20, 2004
  4. E
    Replies:
    4
    Views:
    790
    Shep©
    Feb 8, 2006
  5. Rohit

    IT Job Guru - Certification Guru

    Rohit, Aug 13, 2008, in forum: A+ Certification
    Replies:
    0
    Views:
    2,038
    Rohit
    Aug 13, 2008
Loading...

Share This Page