PIX - Site-to-Site VPN and VPN Client access

Discussion in 'Cisco' started by Rick Stromberg, Jun 24, 2004.

  1. Hi,


    I've been looking intently at the Cisco website documentation (not all
    of it seems correct/complete) and have successfully set up a PIX515 to
    PIX506 site-to-site tunnel. In addition, I have VPN Clients set up to
    access the PIX515 and can access the network behind the PIX515.
    Here's my problem, I cannot access the remote end of the tunnel (The
    506 side) from my VPN client when it is connected to the PIX515.
    Also, I cannot ping through to the 'other' end of the tunnel from
    either PIX. Only hosts behind the PIX, can ping through to the other
    side.

    There are obviously lengthy configs involved, so if someone thinks
    that this should be possible, and would be kind enough to help, I can
    e-mail the configs.

    Thanks.

    Rick Stromberg
    Rick Stromberg, Jun 24, 2004
    #1
    1. Advertising

  2. Rick,

    to clarify due to the way the PIX SPI logic works you will not be able
    to connect from outside pix A with a VPN tunnel and then traverse the
    site-site VPN from PIX A to PIX B. This is due to the PIX not allowing
    an external connection to egress back out of the same interface.
    I believe a way round this would be to plug up 2 interfaces to the
    external (internet ? ) untrusted network and client VPN in on one
    interface and build the site to site VPN on the other.

    If I remember correctly your other problem pinging the PIX interfaces
    is also to do with the same logic, but this can be got round by
    allowing pinging to the PIX's external interface. Although you will
    not be able to ping the internal interface.

    Rich

    On 24 Jun 2004 10:32:06 -0700, (Rick
    Stromberg) wrote:

    >Hi,
    >
    >
    >I've been looking intently at the Cisco website documentation (not all
    >of it seems correct/complete) and have successfully set up a PIX515 to
    >PIX506 site-to-site tunnel. In addition, I have VPN Clients set up to
    >access the PIX515 and can access the network behind the PIX515.
    >Here's my problem, I cannot access the remote end of the tunnel (The
    >506 side) from my VPN client when it is connected to the PIX515.
    >Also, I cannot ping through to the 'other' end of the tunnel from
    >either PIX. Only hosts behind the PIX, can ping through to the other
    >side.
    >
    >There are obviously lengthy configs involved, so if someone thinks
    >that this should be possible, and would be kind enough to help, I can
    >e-mail the configs.
    >
    >Thanks.
    >
    >Rick Stromberg
    Richard Sanderson, Jun 25, 2004
    #2
    1. Advertising

  3. Richard is correct. You cannot have a dial-up VPN user access another
    VPN "branch" if they both connect via the same PIX interface.

    You can somewhat do this with the VPN Concentrator, however if you use
    the EasyVPN configuration with Network Extension Mode, you'll run into
    the same issues.

    Or you can throw in another interface card. If I remember correctly, the
    PIX "interface cards" are Intel Pro 100 PCI cards. You can just throw in
    a generic one and have it work- as long as you have the UR software.

    One last thing, when testing this- make sure the dial-up VPN user has
    the firewall option turned off. It will block ICMP and other things.

    Rick Stromberg wrote:

    > Hi,
    >
    >
    > I've been looking intently at the Cisco website documentation (not all
    > of it seems correct/complete) and have successfully set up a PIX515 to
    > PIX506 site-to-site tunnel. In addition, I have VPN Clients set up to
    > access the PIX515 and can access the network behind the PIX515.
    > Here's my problem, I cannot access the remote end of the tunnel (The
    > 506 side) from my VPN client when it is connected to the PIX515.
    > Also, I cannot ping through to the 'other' end of the tunnel from
    > either PIX. Only hosts behind the PIX, can ping through to the other
    > side.
    Ram Rajadhyaksha, Jun 30, 2004
    #3
  4. Rick Stromberg

    Ahmet

    Joined:
    Dec 16, 2008
    Messages:
    2
    Site-to-Site VPN Problem HELP

    Hi all,

    I search Cisco site for site-to-site VPN, but I couldn’t fide complete setup
    I have prepared a setup as below, but it doesn’t work any help/suggestion ?

    In my organization one site have PIX 515 6.3(5) ver.
    The configuration should be as follow
    IKE Phase I: ASE-256, sha1, Group 2, 1440 min timeout
    IKE Phase II: ASE-256, sha1, FPS, Group 2, 3600 sec timeout
    Remote site vpn ip: 1.1.1.1 and server ip: 1.1.1.4
    My site vpn ip: 2.2.2.1 and local server ip 192.168.16.2


    My Site
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100

    ip address outside 2.2.2.1 255.255.255.0
    ip address inside 192.168.16.1 255.255.255.0

    route outside 0.0.0.0 0.0.0.0 2.2.2.99

    isakmp enable outside

    iaskmp policy 10 authentication pre-share
    isakmp policy 10 encryption ase-256
    isakmp policy 10 hash sha
    isakmp policy 10 group 2
    isakmp policy 10 lifetime 86400

    crypto isakmp key abc123 address 1.1.1.1 netmask 255.255.255.255
    crypto ipsec transform-set testset esp-aes-256 esp-sha-hmac

    access-list notnat permit ip 192.168.16.2 255.255.255.255 1.1.1.4 255.255.255.255
    access-list testvpn permit ip 192.168.16.2 255.255.255.255 1.1.1.4 255.255.255.255

    nat (inside) 0 access-list notnat

    nat (inside) 1 0 0
    global (outside) 1 2.2.2.5-2.2.2.8

    crypto map mymap 10 ipsec-isakmp
    crypto map mymap 10 match address testvpn
    crypto map mymap 10 set transform-set testset
    crypto map mymap 10 set peer 1.1.1.1
    crypto map mymap 10 set pfs group2
    crypto map mymap 10 set security-association lifetime seconds 3600
    crypto map mymap interface outside


    sysopt connection permit-ipsec
    Ahmet, Dec 18, 2008
    #4
  5. Rick Stromberg

    csanburn

    Joined:
    Jun 29, 2009
    Messages:
    2
    VPN Client access broken after site-to-site added

    I recently added site to site configuration a Pix 505E that was already working for vpn clients. Now the clients cannot connect. Debugs on the PIX show errors about the clients IP address not being valid.
    Could someone more knowledgeable about VPNs take a look at the following config and see what I'm missing?

    sysopt connection permit-ipsec
    crypto ipsec transform-set bbatrans esp-3des esp-sha-hmac
    crypto ipsec transform-set strong esp-3des esp-sha-hmac
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto dynamic-map bba-dymap 10 set transform-set bbatrans
    crypto dynamic-map cisco 1 set transform-set strong
    crypto map bba_crypto 10 ipsec-isakmp dynamic bba-dymap
    crypto map bba_crypto client authentication RADIUS
    crypto map dyn-map 10 ipsec-isakmp dynamic cisco
    crypto map tosonicwall 20 ipsec-isakmp
    crypto map tosonicwall 20 match address pixtosnwl
    crypto map tosonicwall 20 set peer x.x.173.58
    crypto map tosonicwall 20 set transform-set ESP-3DES-SHA
    crypto map tosonicwall interface outside
    isakmp enable outside
    isakmp key ******** address x.x.173.58 netmask 255.255.255.255
    isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
    isakmp identity address
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption 3des
    isakmp policy 10 hash sha
    isakmp policy 10 group 2
    isakmp policy 10 lifetime 86400
    isakmp policy 20 authentication pre-share
    isakmp policy 20 encryption 3des
    isakmp policy 20 hash sha
    isakmp policy 20 group 2
    isakmp policy 20 lifetime 28800
    vpngroup bba address-pool VPN
    isakmp policy 20 authentication pre-share
    isakmp policy 20 encryption 3des
    isakmp policy 20 hash sha
    isakmp policy 20 group 2
    isakmp policy 20 lifetime 28800
    vpngroup bba address-pool VPN
    vpngroup bba dns-server 192.168.1.5
    vpngroup bba wins-server 192.168.1.5
    vpngroup bba default-domain bba.local
    vpngroup bba split-tunnel noNAT
    vpngroup bba idle-time 1800
    vpngroup bba password ********

    Many thanks for taking the time to help me out!
    -Chris
    csanburn, Jun 29, 2009
    #5
  6. Rick Stromberg

    csanburn

    Joined:
    Jun 29, 2009
    Messages:
    2
    Missing config line

    I received the solution from a very helpful tech, I just needed to add the following line:

    crypto map tosonicwall 65535 ipsec-isakmp dynamic cisco
    csanburn, Jun 29, 2009
    #6
  7. Rick Stromberg

    vibipa

    Joined:
    May 30, 2011
    Messages:
    1
    Route to IPSec tunnel from VPN Client

    I have the same issue.

    In my Cisco PIX-515E Version 6.3(5), I have a IPSec VPN tunnel and also to the same firewall home users connect through VPN client. I am unable to find a solution that allows my home users to connect to office network and again access the remote network through the IPSec tunnel. Please help.

    Is this possible !!
    vibipa, May 30, 2011
    #7
  8. Rick Stromberg

    luisjimher

    Joined:
    Jun 2, 2011
    Messages:
    1
    Answer to this problem

    Hi!!!!

    I have a PIX 515E and I have VPN SITE TO SITE to reach my central office that have a other firewall, in this PIX also I have configured a VPN CLIENT in my users wants to reach the networks behind the firewall (through the VPN SITE TO SITE). Yes, THIS IS POSSIBLE.

    This is my config type:

    same-security-traffic permit intra-interface

    access-list inside_nat0_outbound extended permit ip 192.168.1.128 255.255.255.224
    10.27.97.0 255.255.255.0
    access-list inside_nat0_outbound extended permit ip 192.168.1.128 255.255.255.224
    10.28.94.0 255.255.255.0
    access-list inside_nat0_outbound extended permit ip 192.168.1.128 255.255.255.224
    10.28.95.0 255.255.255.0
    access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.1.128 255.255.255.224


    access-list GXX_VPN_2_splitTunnelAcl_3 standard permit 192.168.1.0 255.255.255.0
    access-list GXX_VPN_2_splitTunnelAcl_3 standard permit 10.27.97.0 255.255.255.0
    access-list GXX_VPN_2_splitTunnelAcl_3 standard permit 10.28.94.0 255.255.255.0
    access-list GXX_VPN_2_splitTunnelAcl_3 standard permit 10.28.95.0 255.255.255.0


    access-list outside_20_cryptomap extended permit ip 192.168.1.128 255.255.255.224 10.27.97.0 255.255.255.0
    access-list outside_20_cryptomap extended permit ip 192.168.1.128 255.255.255.224 10.28.94.0 255.255.255.0
    access-list outside_20_cryptomap extended permit ip 192.168.1.128 255.255.255.224 10.28.95.0 255.255.255.0
    access-list outside_20_cryptomap extended permit ip 192.168.1.0 255.255.255.0 10.27.97.0 255.255.255.0
    access-list outside_20_cryptomap extended permit ip 192.168.1.0 255.255.255.0 10.28.94.0 255.255.255.0
    access-list outside_20_cryptomap extended permit ip 192.168.1.0 255.255.255.0 10.28.95.0 255.255.255.0


    ip local pool DHCP_VPN 192.168.1.128-192.168.1.135 mask 255.255.255.0



    group-policy GXX_VPN_2 internal
    group-policy GXX_VPN_2 attributes
    wins-server value x.x.x.
    dns-server value x.x.x.x
    vpn-tunnel-protocol IPSec
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value GXX_VPN_2_splitTunnelAcl_3
    default-domain xxx.com.mx
    username XXXXX password dZBmhhbNIN5q6rGK encrypted


    crypto map outside_map0 2 set reverse-route
    crypto map outside_map0 2 match address outside_20_cryptomap
    crypto map outside_map0 2 set transform-set ESP-3DES-SHA
    crypto map outside_map0 2 set reverse-route


    crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP


    tunnel-group GXX_VPN_2 type remote-access
    tunnel-group GXX_VPN_2 general-attributes
    address-pool DHCP_VPN
    default-group-policy GXX_VPN_2

    tunnel-group GXX_VPN_2 type ipsec-attributes
    pre-shared-key *
    tunnel-group X.X.X.X type ipsec-l2l
    tunnel-group X.X.X.X ipsec-attributes
    pre-shared-key *


    This configuration work for me, but if you have problems see the next page

    http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807f9a89.shtml

    the tittle is: Add a Remote Access VPN to the Configuration

    See u
    luisjimher, Jun 3, 2011
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. GVB
    Replies:
    1
    Views:
    2,729
    Martin Bilgrav
    Feb 6, 2004
  2. Replies:
    3
    Views:
    4,654
  3. Surbjeet

    Site-to-Site VPN and VPN Client access

    Surbjeet, Jul 16, 2007, in forum: Case Modding
    Replies:
    1
    Views:
    4,195
    ivan@netvision
    Aug 21, 2007
  4. pasatealinux
    Replies:
    1
    Views:
    1,995
    pasatealinux
    Dec 17, 2007
  5. BF
    Replies:
    2
    Views:
    731
Loading...

Share This Page