PIX515 - VPN on logical interface

Discussion in 'Cisco' started by dominsz, Jun 21, 2006.

  1. dominsz

    dominsz Guest

    I would like to create a site to site vpn between 2 location, lets call
    them Site A and Site B. I set up on Site A an inside (ethernet 1) and
    logical (also on ethernet 1) interfaces. Site B has only an inside
    zone. Each office has a PIX 515 with version 6.3(4) running on it. I am
    able to create tunnels so that inside A can access inside B (but I need
    that logical interface of Site A could access inside B and vice versa)
    .. I was trying also to establish tunnel between DMZ of Site A (ethernet
    2 interface) and inside - but I am unable to create the funtionality
    that I need. The following is what I would like to do.

    VPN conectivity:

    Logical interface (ethernet 1) of Site A can access inside of Site B
    Inside of Site B can access logical interface (ethernet 1) of Site A

    - OR - if above impossible

    DMZ (ethernet 1) of Site A can access inside of Site B
    Inside of Site B can access DMZ of Site A

    Do I need any switch to do that with logical intf (it's vlan on pix of
    course).
    I have Netgear FSM726 - and I tried to filter this traffic but it
    doesn't work.


    My Config:

    PIX (Version 6.3(4)) on SITE A:
    ---------------

    interface ethernet0 auto
    interface ethernet1 auto
    interface ethernet1 vlan3 logical
    interface ethernet2 auto shutdown
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    nameif ethernet2 dmz security40
    nameif vlan3 vpnnet security95
    enable password xxxxxxx encrypted
    passwd xxxxxxxx encrypted
    hostname SiteA
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    name 10.1.1.0 Net1
    name 193.2.2.0 Net2
    name 192.168.73.0 Net3
    access-list outbound_nat0_acl permit ip Net2 255.255.255.0 Net3
    255.255.255.0
    access-list outside_cryptomap permit ip Net2 255.255.255.0 Net3
    55.255.255.0
    pager lines 24
    mtu outside 1500
    mtu inside 1500
    mtu dmz 1500
    ip address outside 192.168.1.52 255.255.255.0
    ip address inside 10.1.1.1 255.255.255.0
    no ip address dmz
    ip address vpnnet 193.2.2.1 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    pdm location 10.1.1.2 255.255.255.255 inside
    pdm location Net3 255.255.255.0 outside
    pdm history enable
    arp timeout 14400
    global (outside) 10 192.168.1.53
    nat (inside) 10 0.0.0.0 0.0.0.0 0 0
    nat (vpnnet) 0 access-list outbound_nat0_acl
    route outside 0.0.0.0 0.0.0.0 192.168.1.51 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    ntp server 11.11.11.40 source outside prefer
    http server enable
    http 10.1.1.2 255.255.255.255 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    crypto ipsec transform-set vpnset esp-3des esp-md5-hmac
    crypto map outside_map 20 ipsec-isakmp
    crypto map outside_map 20 match address outside_cryptomap
    crypto map outside_map 20 set peer 192.168.1.68
    crypto map outside_map 20 set transform-set ESP-3DES-MD5
    crypto map outside_map interface outside
    isakmp enable outside
    isakmp key ******** address 192.168.1.68 netmask 255.255.255.255
    no-xauth no-config-mode
    isakmp identity address
    isakmp policy 20 authentication pre-share
    isakmp policy 20 encryption 3des
    isakmp policy 20 hash md5
    isakmp policy 20 group 2
    isakmp policy 20 lifetime 86400
    telnet 10.1.1.2 255.255.255.255 inside
    telnet timeout 5
    console timeout 0
    dhcpd address 10.1.1.100-10.1.1.254 inside
    dhcpd dns 192.168.1.107 192.168.1.108
    dhcpd lease 3600
    dhcpd ping_timeout 750
    dhcpd domain domain.com
    dhcpd enable inside
    username admin password xxxXxxXXxx encrypted privilege 15
    terminal width 80

    PIX (Version 6.3(4)) on SITE B:
    ---------------

    interface ethernet0 auto
    interface ethernet1 auto
    interface ethernet2 auto shutdown
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    nameif ethernet2 dmz security40
    enable password xxxxxxx encrypted
    passwd xxxxxxxx encrypted
    hostname SiteB
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    name 10.1.1.0 Net1
    name 193.2.2.0 Net2
    name 192.168.73.0 Net3
    access-list outbound_nat0_acl permit ip Net3 255.255.255.0 Net2
    255.255.255.0
    access-list outside_cryptomap permit ip Net3 255.255.255.0 Net2
    55.255.255.0
    pager lines 24
    mtu outside 1500
    mtu inside 1500
    mtu dmz 1500
    ip address outside 192.168.1.68 255.255.255.0
    ip address inside 192.168.73.1 255.255.255.0
    no ip address dmz
    ip audit info action alarm
    ip audit attack action alarm
    pdm location 10.1.1.2 255.255.255.255 inside
    pdm location Net3 255.255.255.0 outside
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    nat (inside) 0 access-list outbound_nat0_acl
    route outside 0.0.0.0 0.0.0.0 192.168.1.67 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    ntp server 11.11.11.40 source outside prefer
    http server enable
    http 192.167.73.2 255.255.255.255 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    crypto ipsec transform-set vpnset esp-3des esp-md5-hmac
    crypto map outside_map 20 ipsec-isakmp
    crypto map outside_map 20 match address outside_cryptomap
    crypto map outside_map 20 set peer 192.168.1.52
    crypto map outside_map 20 set transform-set ESP-3DES-MD5
    crypto map outside_map interface outside
    isakmp enable outside
    isakmp key ******** address 192.168.1.52 netmask 255.255.255.255
    no-xauth no-config-mode
    isakmp identity address
    isakmp policy 20 authentication pre-share
    isakmp policy 20 encryption 3des
    isakmp policy 20 hash md5
    isakmp policy 20 group 2
    isakmp policy 20 lifetime 86400
    telnet timeout 5
    ssh 192.168.1.52 255.255.255.0 outside
    console timeout 0
    dhcpd lease 3600
    dhcpd ping_timeout 750
    username admin password xxxXxxXXxx encrypted privilege 15
    terminal width 80

    Basically, I can connect from inside (Site A - 10.1.1.0) to inside
    (Site B - 192.168.73.0) and ping any host (of course if I set up
    tunneling between inside interfaces). But, what is the most important
    for me (above config) I cannot ping host from 193.168.73.0 (Site B) in
    193.2.2.0 (Site A). Even I cannot ping from any internal host/193.2.2.0
    logical interface 193.2.2.1 on SiteA, but I can ping inside interface
    10.1.1.1 from any host/10.1.1.0 - why?
    I have checked all the cisco web site examples, I cannot find a single
    example where they do something like that. Does anyone have an idea how
    to configure this also that switch if important - or run it on
    interface 2 (DMZ)?

    Thanks very much in advance.
     
    dominsz, Jun 21, 2006
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Eldridge
    Replies:
    1
    Views:
    422
    Walter Roberson
    Feb 2, 2004
  2. Marc Bauer
    Replies:
    9
    Views:
    500
  3. bod43
    Replies:
    0
    Views:
    636
    bod43
    Nov 6, 2008
  4. Stephen
    Replies:
    0
    Views:
    857
    Stephen
    Nov 7, 2008
  5. kamal1352
    Replies:
    0
    Views:
    933
    kamal1352
    Sep 18, 2011
Loading...

Share This Page