Re: Pix VPN To Internal Subnet Routing

Discussion in 'Cisco' started by Brian V, Nov 29, 2006.

  1. Brian V

    Brian V Guest

    "Todd" <> wrote in message
    news:dP6bh.286$-kc.rr.com...
    > Hi,
    >
    > I am having problems creating a vpn through a PIX 515 software version
    > 7.0(4) to an internal subnet routed by a 1721 Router IOS version 12.4(3f).
    >
    > External Client/Cisco VPN Client Software
    > |
    > \ /
    > PIX (192.168.1.1 - static route to 10.10.10.0 network through router)
    > |
    > \ /
    > Internal Network (192.168.1.0 - default gw 192.168.1.1)
    > |
    > \ /
    > Cisco 1721 Router (192.168.1.7/10.10.10.254)
    > |
    > \ /
    > Internal Subnet (10.10.10.0 - default gw 10.10.10.254)
    >
    > Both internal networks can talk to one another through the router without
    > a problem. VPN to the 192. network also works fine. The problem is that
    > the VPN connection. The VPN connection assigns an address in the
    > 192.168.5.0 address range to clients.
    >
    > When clients attempt to connect to the 10.10.10.0 network they do not
    > route properly and go through the VPN Client Software. Instead, they try
    > to connect through their own lan interface. As far as I can tell, there
    > is no way to set a static route using the VPN Client Software. Even trying
    > to set the route through Windows doesn't work.
    >
    > I have considered setting up a new VPN connection at the Pix that would
    > assign a 10.10.10.?? address, however I don't think they will route back
    > through the 1721 because the address will look local.
    >
    > I can set up a new VPN connection on the PIX and it only needs to have
    > access to the 10.10.10.0 network as this will be for service connections
    > for devices only on this subnet.
    >
    > I hope this makes sense. I have used the PIX for some time, however I am
    > still far from a skilled user. The 1721 router is a new thing for me and
    > I still have a long ways to go.
    >
    > Thanks in advance.


    Should be very do-able, no need for the extra tunnel. Post the Pix config
    and we'll take a look.
     
    Brian V, Nov 29, 2006
    #1
    1. Advertising

  2. Brian V

    Todd Guest

    Brian V wrote:
    > "Todd" <> wrote in message
    > news:dP6bh.286$-kc.rr.com...
    >> Hi,
    >>
    >> I am having problems creating a vpn through a PIX 515 software version
    >> 7.0(4) to an internal subnet routed by a 1721 Router IOS version 12.4(3f).
    >>
    >> External Client/Cisco VPN Client Software
    >> |
    >> \ /
    >> PIX (192.168.1.1 - static route to 10.10.10.0 network through router)
    >> |
    >> \ /
    >> Internal Network (192.168.1.0 - default gw 192.168.1.1)
    >> |
    >> \ /
    >> Cisco 1721 Router (192.168.1.7/10.10.10.254)
    >> |
    >> \ /
    >> Internal Subnet (10.10.10.0 - default gw 10.10.10.254)
    >>
    >> Both internal networks can talk to one another through the router without
    >> a problem. VPN to the 192. network also works fine. The problem is that
    >> the VPN connection. The VPN connection assigns an address in the
    >> 192.168.5.0 address range to clients.
    >>
    >> When clients attempt to connect to the 10.10.10.0 network they do not
    >> route properly and go through the VPN Client Software. Instead, they try
    >> to connect through their own lan interface. As far as I can tell, there
    >> is no way to set a static route using the VPN Client Software. Even trying
    >> to set the route through Windows doesn't work.
    >>
    >> I have considered setting up a new VPN connection at the Pix that would
    >> assign a 10.10.10.?? address, however I don't think they will route back
    >> through the 1721 because the address will look local.
    >>
    >> I can set up a new VPN connection on the PIX and it only needs to have
    >> access to the 10.10.10.0 network as this will be for service connections
    >> for devices only on this subnet.
    >>
    >> I hope this makes sense. I have used the PIX for some time, however I am
    >> still far from a skilled user. The 1721 router is a new thing for me and
    >> I still have a long ways to go.
    >>
    >> Thanks in advance.

    >
    > Should be very do-able, no need for the extra tunnel. Post the Pix config
    > and we'll take a look.
    >
    >

    Thanks for the response Brian,

    I got to thinking after the fact. Would eliminating the split tunnel
    solve the routing issue?

    Here is the config (hopefully I didn't strip and mangle too much):

    : Saved
    : Written by enable_15 at 23:02:02.116 CST Tue Nov 28 2006
    !
    PIX Version 7.0(4)
    !
    hostname pix
    domain-name xxxxxxxx.local
    no names
    !
    interface Ethernet0
    speed 100
    duplex full
    nameif outside
    security-level 0
    ip address xxx.xxx.xxx.xxx 255.255.255.0
    !
    interface Ethernet1
    speed 100
    duplex full
    nameif inside
    security-level 100
    ip address 192.168.1.1 255.255.255.0
    !
    interface Ethernet2
    speed 10
    duplex half
    nameif public
    security-level 50
    ip address 192.168.3.1 255.255.255.0
    !
    boot system flash:/pix704.bin
    ftp mode passive
    access-list outside_acl extended permit icmp any any echo-reply
    access-list outside_acl extended permit icmp any any time-exceeded
    access-list outside_acl extended permit icmp any any unreachable
    access-list outside_acl extended permit tcp any any eq https
    access-list public_acl extended permit icmp any object-group
    og_ip_nat_public echo-reply
    access-list public_acl extended permit icmp any object-group
    og_ip_nat_public time-exceeded
    access-list public_acl extended permit icmp any object-group
    og_ip_nat_public unreachable
    access-list public_acl extended deny ip any object-group og_ip_nat_public
    access-list public_acl extended permit ip any any
    access-list vpnXXXXXXX_splitTunnelAcl extended permit ip 192.168.1.0
    255.255.255.0 any
    access-list inside_outbound_nat0_acl extended permit ip any 192.168.5.0
    255.255.255.128
    access-list outside_cryptomap_dyn_20 extended permit ip any 192.168.5.0
    255.255.255.128
    access-list outside_cryptomap_dyn_40 extended permit ip any 192.168.5.0
    255.255.255.128
    access-list vpnXXXXXXXXX_splitTunnelAcl extended permit ip 192.168.3.0
    255.255.255.0 any
    access-list public_outbound_nat0_acl extended permit ip any 192.168.50.0
    255.255.255.128
    access-list outside_cryptomap_dyn_60 extended permit ip any 192.168.50.0
    255.255.255.128
    access-list inside_access_in remark Block SMB over TCP to outside
    access-list inside_access_in extended deny tcp any any eq 445
    access-list inside_access_in extended permit ip any any
    access-list vpn_XXX-XXXX_splitTunnelAcl extended permit ip 192.168.1.0
    255.255.255.0 any
    pager lines 24
    logging enable
    logging monitor alerts
    logging buffered alerts
    logging trap informational
    logging asdm alerts
    logging facility 23
    logging queue 100
    logging host inside 192.168.1.XXX
    mtu outside 1500
    mtu inside 1500
    mtu public 1500
    ip local pool xxxxxxxxpool 192.168.5.1-192.168.5.100
    ip local pool XXXXXXpool 192.168.50.1-192.168.50.100
    ip verify reverse-path interface outside
    asdm image flash:/asdm-504.bin
    asdm group og_ip_nat_public_real inside
    asdm group og_ip_nat_public public reference og_ip_nat_public_real
    arp timeout 14400
    nat-control
    global (outside) 1 XXX.XXX.XXX.XXX netmask 255.255.255.0
    nat (inside) 0 access-list inside_outbound_nat0_acl
    nat (inside) 1 0.0.0.0 0.0.0.0
    nat (public) 0 access-list public_outbound_nat0_acl
    nat (public) 1 0.0.0.0 0.0.0.0
    static (inside,outside) tcp XXX.XXX.XXX.XXX https 192.168.1.XXX https
    netmask 255.255.255.255
    access-group outside_acl in interface outside
    access-group inside_access_in in interface inside
    access-group public_acl in interface public
    route outside 0.0.0.0 0.0.0.0 XXX.XXX.XXX.XXX 1
    route inside 10.10.10.0 255.255.255.0 192.168.1.7 1
    route inside 192.168.2.0 255.255.255.0 192.168.1.220 1
    route inside 192.168.0.0 255.255.255.0 192.168.1.126 1
    timeout xlate 1:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
    timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server RADIUS host 192.168.1.XXX
    key XXXXXXXXXXXXXXXXXX
    group-policy XXX_XXX-XXXX internal
    group-policy XXX_XXX-XXXX attributes
    wins-server value 192.168.1.XXX 192.168.1.XXX
    dns-server value 192.168.1.XXX 192.168.1.XXX
    vpn-idle-timeout 30
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value XXX_XXX-XXXX_splitTunnelAcl
    default-domain value XXXXX.local
    group-policy vpnXXXXXXX internal
    group-policy vpnXXXXXXX attributes
    wins-server value 192.168.1.XXX
    dns-server value 192.168.1.XXX
    vpn-idle-timeout 30
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value vpnXXXXXXX_splitTunnelAcl
    default-domain value XXXXXXXX
    group-policy vpnXXXXXXXXX internal
    group-policy vpnXXXXXXXXX attributes
    wins-server value 192.168.3.XXX
    dns-server value 192.168.3.XXX
    vpn-idle-timeout 30
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value vpnXXXXXXXXX_splitTunnelAcl
    default-domain value XXXXXXX
    http server enable
    http 192.168.1.0 255.255.255.0 inside
    fragment chain 1 outside
    fragment chain 1 inside
    fragment chain 1 public
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
    crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
    crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40
    crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5
    crypto dynamic-map outside_dyn_map 60 match address outside_cryptomap_dyn_60
    crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-MD5
    crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
    crypto map outside_map interface outside
    isakmp enable outside
    isakmp policy 20 authentication pre-share
    isakmp policy 20 encryption 3des
    isakmp policy 20 hash md5
    isakmp policy 20 group 2
    isakmp policy 20 lifetime 86400
    isakmp policy 65535 authentication pre-share
    isakmp policy 65535 encryption 3des
    isakmp policy 65535 hash sha
    isakmp policy 65535 group 2
    isakmp policy 65535 lifetime 86400
    tunnel-group DefaultRAGroup general-attributes
    authentication-server-group (outside) RADIUS
    tunnel-group vpnXXXXXXX type ipsec-ra
    tunnel-group vpnXXXXXXX general-attributes
    address-pool xxxxxxxxpool
    authentication-server-group (outside) RADIUS
    default-group-policy vpnxxxxxxx
    tunnel-group vpnxxxxxxx ipsec-attributes
    pre-shared-key XXXXXXXXXXXXXXXXXXXXXXXXXX
    tunnel-group vpnxxxxxxxxx type ipsec-ra
    tunnel-group vpnxxxxxxxxx general-attributes
    address-pool xxxxxxpool
    authentication-server-group (outside) RADIUS
    default-group-policy vpnxxxxxxxxx
    tunnel-group vpnxxxxxxxxx ipsec-attributes
    pre-shared-key XXXXXXXXXXXXXXXXXXXXXXXXXX
    tunnel-group vpn_xxx-xxxx type ipsec-ra
    tunnel-group vpn_xxx-xxxx general-attributes
    address-pool xxxxxxxxpool
    authentication-server-group (outside) RADIUS
    default-group-policy xxx_xxx-xxxx
    tunnel-group xxx_xxx-xxxx ipsec-attributes
    pre-shared-key XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    telnet 192.168.1.0 255.255.255.0 inside
    telnet 192.168.2.0 255.255.255.0 inside
    telnet 192.168.5.0 255.255.255.0 inside
    telnet timeout 10
    ssh 192.168.1.0 255.255.255.0 inside
    ssh timeout 5
    ssh version 2
    console timeout 5
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map global_policy
    class inspection_default
    inspect dns maximum-length 512
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect http
    inspect ils
    inspect netbios
    inspect pptp
    inspect rsh
    inspect rtsp
    inspect skinny
    inspect esmtp
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect sip
    inspect xdmcp
    !
    service-policy global_policy global
    ntp server 192.168.1.xxx source inside prefer
    tftp-server inside 192.168.1.xxx
    Cryptochecksum:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    : end
     
    Todd, Nov 29, 2006
    #2
    1. Advertising

  3. Brian V

    Brian V Guest

    "Todd" <> wrote in message
    news:KPhbh.2253$-kc.rr.com...
    > Brian V wrote:
    >> "Todd" <> wrote in message
    >> news:dP6bh.286$-kc.rr.com...
    >>> Hi,
    >>>
    >>> I am having problems creating a vpn through a PIX 515 software version
    >>> 7.0(4) to an internal subnet routed by a 1721 Router IOS version
    >>> 12.4(3f).
    >>>
    >>> External Client/Cisco VPN Client Software
    >>> |
    >>> \ /
    >>> PIX (192.168.1.1 - static route to 10.10.10.0 network through router)
    >>> |
    >>> \ /
    >>> Internal Network (192.168.1.0 - default gw 192.168.1.1)
    >>> |
    >>> \ /
    >>> Cisco 1721 Router (192.168.1.7/10.10.10.254)
    >>> |
    >>> \ /
    >>> Internal Subnet (10.10.10.0 - default gw 10.10.10.254)
    >>>
    >>> Both internal networks can talk to one another through the router
    >>> without a problem. VPN to the 192. network also works fine. The
    >>> problem is that the VPN connection. The VPN connection assigns an
    >>> address in the 192.168.5.0 address range to clients.
    >>>
    >>> When clients attempt to connect to the 10.10.10.0 network they do not
    >>> route properly and go through the VPN Client Software. Instead, they
    >>> try to connect through their own lan interface. As far as I can tell,
    >>> there is no way to set a static route using the VPN Client Software.
    >>> Even trying to set the route through Windows doesn't work.
    >>>
    >>> I have considered setting up a new VPN connection at the Pix that would
    >>> assign a 10.10.10.?? address, however I don't think they will route back
    >>> through the 1721 because the address will look local.
    >>>
    >>> I can set up a new VPN connection on the PIX and it only needs to have
    >>> access to the 10.10.10.0 network as this will be for service connections
    >>> for devices only on this subnet.
    >>>
    >>> I hope this makes sense. I have used the PIX for some time, however I am
    >>> still far from a skilled user. The 1721 router is a new thing for me
    >>> and I still have a long ways to go.
    >>>
    >>> Thanks in advance.

    >>
    >> Should be very do-able, no need for the extra tunnel. Post the Pix config
    >> and we'll take a look.

    > Thanks for the response Brian,
    >
    > I got to thinking after the fact. Would eliminating the split tunnel
    > solve the routing issue?
    >
    > Here is the config (hopefully I didn't strip and mangle too much):
    >
    > : Saved
    > : Written by enable_15 at 23:02:02.116 CST Tue Nov 28 2006
    > !
    > PIX Version 7.0(4)
    > !
    > hostname pix
    > domain-name xxxxxxxx.local
    > no names
    > !
    > interface Ethernet0
    > speed 100
    > duplex full
    > nameif outside
    > security-level 0
    > ip address xxx.xxx.xxx.xxx 255.255.255.0
    > !
    > interface Ethernet1
    > speed 100
    > duplex full
    > nameif inside
    > security-level 100
    > ip address 192.168.1.1 255.255.255.0
    > !
    > interface Ethernet2
    > speed 10
    > duplex half
    > nameif public
    > security-level 50
    > ip address 192.168.3.1 255.255.255.0
    > !
    > boot system flash:/pix704.bin
    > ftp mode passive
    > access-list outside_acl extended permit icmp any any echo-reply
    > access-list outside_acl extended permit icmp any any time-exceeded
    > access-list outside_acl extended permit icmp any any unreachable
    > access-list outside_acl extended permit tcp any any eq https
    > access-list public_acl extended permit icmp any object-group
    > og_ip_nat_public echo-reply
    > access-list public_acl extended permit icmp any object-group
    > og_ip_nat_public time-exceeded
    > access-list public_acl extended permit icmp any object-group
    > og_ip_nat_public unreachable
    > access-list public_acl extended deny ip any object-group og_ip_nat_public
    > access-list public_acl extended permit ip any any
    > access-list vpnXXXXXXX_splitTunnelAcl extended permit ip 192.168.1.0
    > 255.255.255.0 any
    > access-list inside_outbound_nat0_acl extended permit ip any 192.168.5.0
    > 255.255.255.128
    > access-list outside_cryptomap_dyn_20 extended permit ip any 192.168.5.0
    > 255.255.255.128
    > access-list outside_cryptomap_dyn_40 extended permit ip any 192.168.5.0
    > 255.255.255.128
    > access-list vpnXXXXXXXXX_splitTunnelAcl extended permit ip 192.168.3.0
    > 255.255.255.0 any
    > access-list public_outbound_nat0_acl extended permit ip any 192.168.50.0
    > 255.255.255.128
    > access-list outside_cryptomap_dyn_60 extended permit ip any 192.168.50.0
    > 255.255.255.128
    > access-list inside_access_in remark Block SMB over TCP to outside
    > access-list inside_access_in extended deny tcp any any eq 445
    > access-list inside_access_in extended permit ip any any
    > access-list vpn_XXX-XXXX_splitTunnelAcl extended permit ip 192.168.1.0
    > 255.255.255.0 any
    > pager lines 24
    > logging enable
    > logging monitor alerts
    > logging buffered alerts
    > logging trap informational
    > logging asdm alerts
    > logging facility 23
    > logging queue 100
    > logging host inside 192.168.1.XXX
    > mtu outside 1500
    > mtu inside 1500
    > mtu public 1500
    > ip local pool xxxxxxxxpool 192.168.5.1-192.168.5.100
    > ip local pool XXXXXXpool 192.168.50.1-192.168.50.100
    > ip verify reverse-path interface outside
    > asdm image flash:/asdm-504.bin
    > asdm group og_ip_nat_public_real inside
    > asdm group og_ip_nat_public public reference og_ip_nat_public_real
    > arp timeout 14400
    > nat-control
    > global (outside) 1 XXX.XXX.XXX.XXX netmask 255.255.255.0
    > nat (inside) 0 access-list inside_outbound_nat0_acl
    > nat (inside) 1 0.0.0.0 0.0.0.0
    > nat (public) 0 access-list public_outbound_nat0_acl
    > nat (public) 1 0.0.0.0 0.0.0.0
    > static (inside,outside) tcp XXX.XXX.XXX.XXX https 192.168.1.XXX https
    > netmask 255.255.255.255
    > access-group outside_acl in interface outside
    > access-group inside_access_in in interface inside
    > access-group public_acl in interface public
    > route outside 0.0.0.0 0.0.0.0 XXX.XXX.XXX.XXX 1
    > route inside 10.10.10.0 255.255.255.0 192.168.1.7 1
    > route inside 192.168.2.0 255.255.255.0 192.168.1.220 1
    > route inside 192.168.0.0 255.255.255.0 192.168.1.126 1
    > timeout xlate 1:00:00
    > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    > timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
    > timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
    > timeout uauth 0:05:00 absolute
    > aaa-server TACACS+ protocol tacacs+
    > aaa-server RADIUS protocol radius
    > aaa-server RADIUS host 192.168.1.XXX
    > key XXXXXXXXXXXXXXXXXX
    > group-policy XXX_XXX-XXXX internal
    > group-policy XXX_XXX-XXXX attributes
    > wins-server value 192.168.1.XXX 192.168.1.XXX
    > dns-server value 192.168.1.XXX 192.168.1.XXX
    > vpn-idle-timeout 30
    > split-tunnel-policy tunnelspecified
    > split-tunnel-network-list value XXX_XXX-XXXX_splitTunnelAcl
    > default-domain value XXXXX.local
    > group-policy vpnXXXXXXX internal
    > group-policy vpnXXXXXXX attributes
    > wins-server value 192.168.1.XXX
    > dns-server value 192.168.1.XXX
    > vpn-idle-timeout 30
    > split-tunnel-policy tunnelspecified
    > split-tunnel-network-list value vpnXXXXXXX_splitTunnelAcl
    > default-domain value XXXXXXXX
    > group-policy vpnXXXXXXXXX internal
    > group-policy vpnXXXXXXXXX attributes
    > wins-server value 192.168.3.XXX
    > dns-server value 192.168.3.XXX
    > vpn-idle-timeout 30
    > split-tunnel-policy tunnelspecified
    > split-tunnel-network-list value vpnXXXXXXXXX_splitTunnelAcl
    > default-domain value XXXXXXX
    > http server enable
    > http 192.168.1.0 255.255.255.0 inside
    > fragment chain 1 outside
    > fragment chain 1 inside
    > fragment chain 1 public
    > crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    > crypto dynamic-map outside_dyn_map 20 match address
    > outside_cryptomap_dyn_20
    > crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
    > crypto dynamic-map outside_dyn_map 40 match address
    > outside_cryptomap_dyn_40
    > crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5
    > crypto dynamic-map outside_dyn_map 60 match address
    > outside_cryptomap_dyn_60
    > crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-MD5
    > crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
    > crypto map outside_map interface outside
    > isakmp enable outside
    > isakmp policy 20 authentication pre-share
    > isakmp policy 20 encryption 3des
    > isakmp policy 20 hash md5
    > isakmp policy 20 group 2
    > isakmp policy 20 lifetime 86400
    > isakmp policy 65535 authentication pre-share
    > isakmp policy 65535 encryption 3des
    > isakmp policy 65535 hash sha
    > isakmp policy 65535 group 2
    > isakmp policy 65535 lifetime 86400
    > tunnel-group DefaultRAGroup general-attributes
    > authentication-server-group (outside) RADIUS
    > tunnel-group vpnXXXXXXX type ipsec-ra
    > tunnel-group vpnXXXXXXX general-attributes
    > address-pool xxxxxxxxpool
    > authentication-server-group (outside) RADIUS
    > default-group-policy vpnxxxxxxx
    > tunnel-group vpnxxxxxxx ipsec-attributes
    > pre-shared-key XXXXXXXXXXXXXXXXXXXXXXXXXX
    > tunnel-group vpnxxxxxxxxx type ipsec-ra
    > tunnel-group vpnxxxxxxxxx general-attributes
    > address-pool xxxxxxpool
    > authentication-server-group (outside) RADIUS
    > default-group-policy vpnxxxxxxxxx
    > tunnel-group vpnxxxxxxxxx ipsec-attributes
    > pre-shared-key XXXXXXXXXXXXXXXXXXXXXXXXXX
    > tunnel-group vpn_xxx-xxxx type ipsec-ra
    > tunnel-group vpn_xxx-xxxx general-attributes
    > address-pool xxxxxxxxpool
    > authentication-server-group (outside) RADIUS
    > default-group-policy xxx_xxx-xxxx
    > tunnel-group xxx_xxx-xxxx ipsec-attributes
    > pre-shared-key XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    > telnet 192.168.1.0 255.255.255.0 inside
    > telnet 192.168.2.0 255.255.255.0 inside
    > telnet 192.168.5.0 255.255.255.0 inside
    > telnet timeout 10
    > ssh 192.168.1.0 255.255.255.0 inside
    > ssh timeout 5
    > ssh version 2
    > console timeout 5
    > !
    > class-map inspection_default
    > match default-inspection-traffic
    > !
    > !
    > policy-map global_policy
    > class inspection_default
    > inspect dns maximum-length 512
    > inspect ftp
    > inspect h323 h225
    > inspect h323 ras
    > inspect http
    > inspect ils
    > inspect netbios
    > inspect pptp
    > inspect rsh
    > inspect rtsp
    > inspect skinny
    > inspect esmtp
    > inspect sqlnet
    > inspect sunrpc
    > inspect tftp
    > inspect sip
    > inspect xdmcp
    > !
    > service-policy global_policy global
    > ntp server 192.168.1.xxx source inside prefer
    > tftp-server inside 192.168.1.xxx
    > Cryptochecksum:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    > : end


    LOL, Mangled way too much, better safe than sorry tho.....No, no need to get
    rid of the slpit tunnel lists to make this work, but it is a security risk,
    I hate split tunnels, opens way too many holes in to the network. Every
    single VPN user put's your entire security policy at risk, they now have
    direct pipes in to your network, any one of those users could be compromised
    and there is nothing you can do about it while allowing split tunneling.
    Here's where to start.
    1, You need to get rid of the "any" statements in your crypto maps, no nat
    lists and split tunnel lists. You should be using network specific entires
    there, ie 10.10.10.0/24 is allowed to talk to 192.168.50.0/25.
    2, Does the 1721 know where the 192.168.50.0/29 subnet is? Do you have a
    default router or a network specific route pointing to the Pix?
    3, Not related to the VPN, but you should remove the netmask 255.255.255.0
    off your outsisde global, no need for a mask there and can cause some
    funkyness (thats a technical term).
     
    Brian V, Nov 29, 2006
    #3
  4. Brian V

    Todd Guest

    Brian V wrote:
    > "Todd" <> wrote in message
    > news:KPhbh.2253$-kc.rr.com...
    >> Brian V wrote:
    >>> "Todd" <> wrote in message
    >>> news:dP6bh.286$-kc.rr.com...
    >>>> Hi,
    >>>>
    >>>> I am having problems creating a vpn through a PIX 515 software version
    >>>> 7.0(4) to an internal subnet routed by a 1721 Router IOS version
    >>>> 12.4(3f).
    >>>>
    >>>> External Client/Cisco VPN Client Software
    >>>> |
    >>>> \ /
    >>>> PIX (192.168.1.1 - static route to 10.10.10.0 network through router)
    >>>> |
    >>>> \ /
    >>>> Internal Network (192.168.1.0 - default gw 192.168.1.1)
    >>>> |
    >>>> \ /
    >>>> Cisco 1721 Router (192.168.1.7/10.10.10.254)
    >>>> |
    >>>> \ /
    >>>> Internal Subnet (10.10.10.0 - default gw 10.10.10.254)
    >>>>
    >>>> Both internal networks can talk to one another through the router
    >>>> without a problem. VPN to the 192. network also works fine. The
    >>>> problem is that the VPN connection. The VPN connection assigns an
    >>>> address in the 192.168.5.0 address range to clients.
    >>>>
    >>>> When clients attempt to connect to the 10.10.10.0 network they do not
    >>>> route properly and go through the VPN Client Software. Instead, they
    >>>> try to connect through their own lan interface. As far as I can tell,
    >>>> there is no way to set a static route using the VPN Client Software.
    >>>> Even trying to set the route through Windows doesn't work.
    >>>>
    >>>> I have considered setting up a new VPN connection at the Pix that would
    >>>> assign a 10.10.10.?? address, however I don't think they will route back
    >>>> through the 1721 because the address will look local.
    >>>>
    >>>> I can set up a new VPN connection on the PIX and it only needs to have
    >>>> access to the 10.10.10.0 network as this will be for service connections
    >>>> for devices only on this subnet.
    >>>>
    >>>> I hope this makes sense. I have used the PIX for some time, however I am
    >>>> still far from a skilled user. The 1721 router is a new thing for me
    >>>> and I still have a long ways to go.
    >>>>
    >>>> Thanks in advance.
    >>> Should be very do-able, no need for the extra tunnel. Post the Pix config
    >>> and we'll take a look.

    >> Thanks for the response Brian,
    >>
    >> I got to thinking after the fact. Would eliminating the split tunnel
    >> solve the routing issue?
    >>
    >> Here is the config (hopefully I didn't strip and mangle too much):
    >>
    >> : Saved
    >> : Written by enable_15 at 23:02:02.116 CST Tue Nov 28 2006
    >> !
    >> PIX Version 7.0(4)
    >> !
    >> hostname pix
    >> domain-name xxxxxxxx.local
    >> no names
    >> !
    >> interface Ethernet0
    >> speed 100
    >> duplex full
    >> nameif outside
    >> security-level 0
    >> ip address xxx.xxx.xxx.xxx 255.255.255.0
    >> !
    >> interface Ethernet1
    >> speed 100
    >> duplex full
    >> nameif inside
    >> security-level 100
    >> ip address 192.168.1.1 255.255.255.0
    >> !
    >> interface Ethernet2
    >> speed 10
    >> duplex half
    >> nameif public
    >> security-level 50
    >> ip address 192.168.3.1 255.255.255.0
    >> !
    >> boot system flash:/pix704.bin
    >> ftp mode passive
    >> access-list outside_acl extended permit icmp any any echo-reply
    >> access-list outside_acl extended permit icmp any any time-exceeded
    >> access-list outside_acl extended permit icmp any any unreachable
    >> access-list outside_acl extended permit tcp any any eq https
    >> access-list public_acl extended permit icmp any object-group
    >> og_ip_nat_public echo-reply
    >> access-list public_acl extended permit icmp any object-group
    >> og_ip_nat_public time-exceeded
    >> access-list public_acl extended permit icmp any object-group
    >> og_ip_nat_public unreachable
    >> access-list public_acl extended deny ip any object-group og_ip_nat_public
    >> access-list public_acl extended permit ip any any
    >> access-list vpnXXXXXXX_splitTunnelAcl extended permit ip 192.168.1.0
    >> 255.255.255.0 any
    >> access-list inside_outbound_nat0_acl extended permit ip any 192.168.5.0
    >> 255.255.255.128
    >> access-list outside_cryptomap_dyn_20 extended permit ip any 192.168.5.0
    >> 255.255.255.128
    >> access-list outside_cryptomap_dyn_40 extended permit ip any 192.168.5.0
    >> 255.255.255.128
    >> access-list vpnXXXXXXXXX_splitTunnelAcl extended permit ip 192.168.3.0
    >> 255.255.255.0 any
    >> access-list public_outbound_nat0_acl extended permit ip any 192.168.50.0
    >> 255.255.255.128
    >> access-list outside_cryptomap_dyn_60 extended permit ip any 192.168.50.0
    >> 255.255.255.128
    >> access-list inside_access_in remark Block SMB over TCP to outside
    >> access-list inside_access_in extended deny tcp any any eq 445
    >> access-list inside_access_in extended permit ip any any
    >> access-list vpn_XXX-XXXX_splitTunnelAcl extended permit ip 192.168.1.0
    >> 255.255.255.0 any
    >> pager lines 24
    >> logging enable
    >> logging monitor alerts
    >> logging buffered alerts
    >> logging trap informational
    >> logging asdm alerts
    >> logging facility 23
    >> logging queue 100
    >> logging host inside 192.168.1.XXX
    >> mtu outside 1500
    >> mtu inside 1500
    >> mtu public 1500
    >> ip local pool xxxxxxxxpool 192.168.5.1-192.168.5.100
    >> ip local pool XXXXXXpool 192.168.50.1-192.168.50.100
    >> ip verify reverse-path interface outside
    >> asdm image flash:/asdm-504.bin
    >> asdm group og_ip_nat_public_real inside
    >> asdm group og_ip_nat_public public reference og_ip_nat_public_real
    >> arp timeout 14400
    >> nat-control
    >> global (outside) 1 XXX.XXX.XXX.XXX netmask 255.255.255.0
    >> nat (inside) 0 access-list inside_outbound_nat0_acl
    >> nat (inside) 1 0.0.0.0 0.0.0.0
    >> nat (public) 0 access-list public_outbound_nat0_acl
    >> nat (public) 1 0.0.0.0 0.0.0.0
    >> static (inside,outside) tcp XXX.XXX.XXX.XXX https 192.168.1.XXX https
    >> netmask 255.255.255.255
    >> access-group outside_acl in interface outside
    >> access-group inside_access_in in interface inside
    >> access-group public_acl in interface public
    >> route outside 0.0.0.0 0.0.0.0 XXX.XXX.XXX.XXX 1
    >> route inside 10.10.10.0 255.255.255.0 192.168.1.7 1
    >> route inside 192.168.2.0 255.255.255.0 192.168.1.220 1
    >> route inside 192.168.0.0 255.255.255.0 192.168.1.126 1
    >> timeout xlate 1:00:00
    >> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    >> timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
    >> timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
    >> timeout uauth 0:05:00 absolute
    >> aaa-server TACACS+ protocol tacacs+
    >> aaa-server RADIUS protocol radius
    >> aaa-server RADIUS host 192.168.1.XXX
    >> key XXXXXXXXXXXXXXXXXX
    >> group-policy XXX_XXX-XXXX internal
    >> group-policy XXX_XXX-XXXX attributes
    >> wins-server value 192.168.1.XXX 192.168.1.XXX
    >> dns-server value 192.168.1.XXX 192.168.1.XXX
    >> vpn-idle-timeout 30
    >> split-tunnel-policy tunnelspecified
    >> split-tunnel-network-list value XXX_XXX-XXXX_splitTunnelAcl
    >> default-domain value XXXXX.local
    >> group-policy vpnXXXXXXX internal
    >> group-policy vpnXXXXXXX attributes
    >> wins-server value 192.168.1.XXX
    >> dns-server value 192.168.1.XXX
    >> vpn-idle-timeout 30
    >> split-tunnel-policy tunnelspecified
    >> split-tunnel-network-list value vpnXXXXXXX_splitTunnelAcl
    >> default-domain value XXXXXXXX
    >> group-policy vpnXXXXXXXXX internal
    >> group-policy vpnXXXXXXXXX attributes
    >> wins-server value 192.168.3.XXX
    >> dns-server value 192.168.3.XXX
    >> vpn-idle-timeout 30
    >> split-tunnel-policy tunnelspecified
    >> split-tunnel-network-list value vpnXXXXXXXXX_splitTunnelAcl
    >> default-domain value XXXXXXX
    >> http server enable
    >> http 192.168.1.0 255.255.255.0 inside
    >> fragment chain 1 outside
    >> fragment chain 1 inside
    >> fragment chain 1 public
    >> crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    >> crypto dynamic-map outside_dyn_map 20 match address
    >> outside_cryptomap_dyn_20
    >> crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
    >> crypto dynamic-map outside_dyn_map 40 match address
    >> outside_cryptomap_dyn_40
    >> crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5
    >> crypto dynamic-map outside_dyn_map 60 match address
    >> outside_cryptomap_dyn_60
    >> crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-MD5
    >> crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
    >> crypto map outside_map interface outside
    >> isakmp enable outside
    >> isakmp policy 20 authentication pre-share
    >> isakmp policy 20 encryption 3des
    >> isakmp policy 20 hash md5
    >> isakmp policy 20 group 2
    >> isakmp policy 20 lifetime 86400
    >> isakmp policy 65535 authentication pre-share
    >> isakmp policy 65535 encryption 3des
    >> isakmp policy 65535 hash sha
    >> isakmp policy 65535 group 2
    >> isakmp policy 65535 lifetime 86400
    >> tunnel-group DefaultRAGroup general-attributes
    >> authentication-server-group (outside) RADIUS
    >> tunnel-group vpnXXXXXXX type ipsec-ra
    >> tunnel-group vpnXXXXXXX general-attributes
    >> address-pool xxxxxxxxpool
    >> authentication-server-group (outside) RADIUS
    >> default-group-policy vpnxxxxxxx
    >> tunnel-group vpnxxxxxxx ipsec-attributes
    >> pre-shared-key XXXXXXXXXXXXXXXXXXXXXXXXXX
    >> tunnel-group vpnxxxxxxxxx type ipsec-ra
    >> tunnel-group vpnxxxxxxxxx general-attributes
    >> address-pool xxxxxxpool
    >> authentication-server-group (outside) RADIUS
    >> default-group-policy vpnxxxxxxxxx
    >> tunnel-group vpnxxxxxxxxx ipsec-attributes
    >> pre-shared-key XXXXXXXXXXXXXXXXXXXXXXXXXX
    >> tunnel-group vpn_xxx-xxxx type ipsec-ra
    >> tunnel-group vpn_xxx-xxxx general-attributes
    >> address-pool xxxxxxxxpool
    >> authentication-server-group (outside) RADIUS
    >> default-group-policy xxx_xxx-xxxx
    >> tunnel-group xxx_xxx-xxxx ipsec-attributes
    >> pre-shared-key XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    >> telnet 192.168.1.0 255.255.255.0 inside
    >> telnet 192.168.2.0 255.255.255.0 inside
    >> telnet 192.168.5.0 255.255.255.0 inside
    >> telnet timeout 10
    >> ssh 192.168.1.0 255.255.255.0 inside
    >> ssh timeout 5
    >> ssh version 2
    >> console timeout 5
    >> !
    >> class-map inspection_default
    >> match default-inspection-traffic
    >> !
    >> !
    >> policy-map global_policy
    >> class inspection_default
    >> inspect dns maximum-length 512
    >> inspect ftp
    >> inspect h323 h225
    >> inspect h323 ras
    >> inspect http
    >> inspect ils
    >> inspect netbios
    >> inspect pptp
    >> inspect rsh
    >> inspect rtsp
    >> inspect skinny
    >> inspect esmtp
    >> inspect sqlnet
    >> inspect sunrpc
    >> inspect tftp
    >> inspect sip
    >> inspect xdmcp
    >> !
    >> service-policy global_policy global
    >> ntp server 192.168.1.xxx source inside prefer
    >> tftp-server inside 192.168.1.xxx
    >> Cryptochecksum:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    >> : end

    >
    > LOL, Mangled way too much, better safe than sorry tho.....No, no need to get
    > rid of the slpit tunnel lists to make this work, but it is a security risk,
    > I hate split tunnels, opens way too many holes in to the network. Every
    > single VPN user put's your entire security policy at risk, they now have
    > direct pipes in to your network, any one of those users could be compromised
    > and there is nothing you can do about it while allowing split tunneling.
    > Here's where to start.


    Yes, I hate the split tunnels as well, however there is one consultant
    who needs access to his corporate servers while working on our systems.
    Doing what he does, he needs to get some files. I may have to work on
    that though.

    > 1, You need to get rid of the "any" statements in your crypto maps, no nat
    > lists and split tunnel lists. You should be using network specific entires
    > there, ie 10.10.10.0/24 is allowed to talk to 192.168.50.0/25.


    I'm not at work now, however I will clean that up.

    > 2, Does the 1721 know where the 192.168.50.0/29 subnet is? Do you have a
    > default router or a network specific route pointing to the Pix?


    The public interface (192.168.3.1) and the inside interface
    (192.168.1.1) should not have any traffic between them (except for two
    printers that are shared and have specific rules that I deleted because
    they really were not relevant to this issue). The 192.168.50.0 subnet
    is the address pool for vpn into the 192.168.3.0 subnet. The
    192.168.5.0 subnet is the address pool for vpn into the 192.168.1.0
    subnet. The 1721 resides on the 192.168.1.0 subnet and should not be
    aware of 192.168.3.0 or 192.168.50.0.

    The default network gateway for the 192.168.1.0 subnet is the PIX
    (192.168.1.1). The default network gateway for the 10.10.10.0 subnet is
    the 1721 (10.10.10.254). The default gateway for the 1721 is the PIX
    (192.168.1.1).

    > 3, Not related to the VPN, but you should remove the netmask 255.255.255.0
    > off your outsisde global, no need for a mask there and can cause some
    > funkyness (thats a technical term).


    I too can get technical from time to time. :) I will remove the
    netmask when back at work.

    Thanks again!
     
    Todd, Nov 30, 2006
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Tim Fortea
    Replies:
    2
    Views:
    1,084
  2. EG
    Replies:
    5
    Views:
    8,304
    Walter Roberson
    Dec 30, 2004
  3. drazyw

    Cisco VPN and internal subnet

    drazyw, Jul 26, 2005, in forum: Cisco
    Replies:
    1
    Views:
    2,961
    Jyri Korhonen
    Jul 26, 2005
  4. Scott Townsend
    Replies:
    2
    Views:
    584
    Scott Townsend
    Mar 4, 2008
  5. ra170
    Replies:
    1
    Views:
    1,054
    ra170
    Nov 22, 2010
Loading...

Share This Page