topic Re: Access LAN behind PIX in Network Security

Access LAN behind PIX

vanagon2tdi — Fri, 21 Feb 2020 07:45:22 GMT

I am trying to allow remote access to the LAN sitting behind my PIX. I am using the Cisco VPN client and have maaged to get authenticated, but I am unable to see the LAN (10.254.254.0/24) behind it. Any clues as to what I am missing?

Also I am trying to allow SSH through the PIX to a router sitting behind it. I created a sub interface on the router with a public address, and made sure the PIX was not NAT’ing it. I also created an access list rule that would allow SSH from my IP to the public one sitting behind the PIX. I do not get any connectivity. Any ideas?

Thanks,

Dave

Re: Access LAN behind PIX

jmia — Thu, 18 Nov 2004 16:01:30 GMT

Dave,

Can you post your config pls, here's a example for you to compare with:

access-list nonat permit ip 10.0.10.0 255.255.255.0 10.0.6.0 255.255.255.128

access-list 100 permit ip 10.0.10.0 255.255.255.0 10.0.6.0 255.255.255.128

ip local pool RASPool 10.0.6.1-10.0.6.100

nat (inside) 0 access-list nonat

sysopt connection permit-ipsec

crypto ipsec transform-set vpn_users esp-3des esp-md5-hmac

crypto dynamic-map dynmap 10 set transform-set vpn_users

crypto map mymap 10 ipsec-isakmp dynamic dynmap

crypto map mymap interface outside

isakmp enable outside

isakmp identity address

isakmp nat-traversal

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup vpnras address-pool RASPool

vpngroup vpnras dns-server

vpngroup vpnras wins-server

vpngroup vpnras default-domain

vpngroup vpnras idle-time 1800

vpngroup vpnras password

vpngroup vpnras split-tunnel 100

The above crypto access-list mask (255.255.255.128) will provide 100 ip addresses for the vpn users, you can increase this to suite your needs.

Let me know,

Jay

Re: Access LAN behind PIX

sachinraja — Mon, 22 Nov 2004 13:35:41 GMT

Hello dave,

if you are not able to connect to the LAN after connecting to the VPN , there might be a couple of issuses :

1) routing inside the PIX . in case this network is not directly connected to pix inside, make sure you route it to the appropriate layer 3 switch.. make sure the reverse route to the IP pool is available on the switch and the layer 3 switch.

2) in case the IP pool is in a different network other than your PIX inside network, you need to nonat the traffic. make sure you do this right, with the source as your local network (10.254.254.0/24) and destination as the IP pool..

eg: IP pool - 10.1.1.0/24

access-list nonat permit ip 10.254.254.0 255.255.255.0 10.1.1.0 255.255.255.0

3) In case you have inside access-lists on the PIX, make sure you allow 10.254.254.0 to communicate with the IP pool.

All the best.. rate all replies if found useful...

Re: Access LAN behind PIX

vanagon2tdi — Mon, 22 Nov 2004 18:18:27 GMT

below is a copy of my config. Can you see what i may be missing.

On the inside router 10.254.254.1 i have a route saying to get to 192.168.10.0 goto 10.1.1.101 and no access-lists

When i connect with my Cisco VPN client i get connected and see traffic going out but none coming in.

access-list inside_outbound_nat0_acl permit ip any 192.168.10.0 255.255.255.128

access-list outside_cryptomap_dyn_40 permit ip any 192.168.10.0 255.255.255.128

ip address inside 10.1.1.101 255.255.255.252

ip local pool Cisco Dave-192.168.10.100 mask 255.255.255.0

pdm location 192.168.10.0 255.255.255.128 outside

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 10 0.0.0.0 0.0.0.0 0 0

http 192.168.10.0 255.255.255.0 inside

sysopt connection permit-ipsec

sysopt connection permit-l2tp

crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5

crypto dynamic-map outside_dyn_map_1 20 set transform-set ESP-3DES-MD5

crypto dynamic-map outside_dyn_map_1 40 match address outside_cryptomap_dyn_40

crypto dynamic-map outside_dyn_map_1 40 set transform-set ESP-3DES-MD5

crypto map outside_map 20 ipsec-isakmp

crypto map outside_map 20 match address outside_cryptomap_20

crypto map outside_map 20 set transform-set ESP-3DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map_1

crypto map outside_map client authentication LOCAL

crypto map outside_map interface outside

isakmp enable outside

isakmp policy 20 authentication rsa-sig

isakmp policy 20 encryption 3des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

isakmp policy 40 authentication pre-share

isakmp policy 40 encryption 3des

isakmp policy 40 hash md5

isakmp policy 40 group 2

isakmp policy 40 lifetime 86400

ssh 192.168.10.0 255.255.255.0 inside

ssh timeout 5

management-access inside

Re: Access LAN behind PIX

vanagon2tdi — Mon, 22 Nov 2004 18:23:08 GMT

I have posted my configs. If you can take a look when you have a minute that would be great.

Note, i am using the PDM and have little knowledge of a PIX command line (but learning slowly)

Thanks.

Dave