topic Re: Need to help configure second network for site to site ipsec in Network Security

Need to help configure second network for site to site ipsec vpn

rana.samir — Mon, 11 Mar 2019 17:54:06 GMT

Hi All,

With the reference to the attached diagram.

We have ipsec site to site tunnel between 10.254.5.254 /23 and 10.192.0.0 /16 network.

I would like to add second network 192.168.1.0 /24 and 192.168.2.0 /24 respective end.

If any body can help how to configure this on site to site vpn would be appricated.

Thanks,

Samir

Re: Need to help configure second network for site to site ipsec

Federico Coto Fajardo — Wed, 02 Jun 2010 19:20:43 GMT

Hi Samir,

Using the same tunnel already established between the two PIXes, just add the local network on each side on the interesting traffic.

If you're doing NAT exemption, also include the networks in that list.

If you want the exact commands, please include the following output from both PIXes:

sh run access-l --> this is the name of the ACL in the crypto map

sh run nat

Federico.

Re: Need to help configure second network for site to site ipsec

rana.samir — Thu, 03 Jun 2010 14:50:20 GMT

Hi Federico,

Thanks for your reply.

But my problem is one side of 515E PIX firewall is directly connected with layer 2 switch.

So, How can I add 192.168.x.x network on layer 2 switch and allowed on to the

site-site vpn tunnel.

Waiting for your kind reply.

Samir

Re: Need to help configure second network for site to site ipsec

Federico Coto Fajardo — Thu, 03 Jun 2010 15:03:36 GMT

The fact that the 192.168.1.x is connected via a layer 2 switch on the PIX-515 should not matter.
What you do is to aggregate the 192.168.1.x in the interesting traffic to the tunnel that goes to the PIX-525

So, let's say you have this crypto ACL for the tunnel...
access-list crypto permit ip 10.254.5.0 255.255.254.0 10.192.0.0 255.255.0.0

Then you add the following line to the PIX-515:
access-list crypto permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

To allow 192.168.1.x to communicate with 192.168.2.x through the tunnel.

On the PIX-525 you should add the inverse ACL:
access-list crypto permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

Besides this...
You need to take into consideration the NAT configuration and the routing to make this work.

Federico.

Re: Need to help configure second network for site to site ipsec

rana.samir — Thu, 03 Jun 2010 16:19:27 GMT

Hi Federico,

Thank you very much for your early reply.

Here is the my configuration of the both sides for your information.

Waiting for your kind reply.

Re: Need to help configure second network for site to site ipsec

Federico Coto Fajardo — Thu, 03 Jun 2010 16:37:08 GMT

PIX-515E

Current crypto ACL on PIX-515E
access-list outside_cryptomap_20 permit ip object-group subnet-Keyano object-group SCL_WAN_VPN

object-group network subnet-Keyano
network-object 10.254.4.0 255.255.254.0
network-object 192.168.1.0 255.255.255.0

object-group network SCL_WAN_VPN
network-object 10.0.0.0 255.0.0.0
network-object 192.168.1.0 255.255.255.0

Current bypass ACL in PIX-515E is the same as above:
access-list inside_outbound_nat0_acl permit ip object-group subnet-Keyano object-group SCL_WAN_VPN log

#####################################################################################

PIX-525

Current crypto ACL on PIX-525

access-list TELUS_cryptomap_20 permit ip object-group SCL_WAN_VPN object-group subnet-Keyano

object-group network SCL_WAN_VPN
network-object 10.0.0.0 255.0.0.0
network-object 192.168.2.0 255.255.255.0

object-group network subnet-Keyano
network-object 10.254.4.0 255.255.254.0
network-object 192.168.1.0 255.255.255.0

Current bypass ACL in PIX-525

access-list inside-nat permit ip any any log
access-list inside-nat permit ip object-group SCL_WAN_VPN object-group subnet-Keyano

###################################################################################

I'll do the following modifications:

1. On both sides modify the crypto ACL to not include the entire 10.0.0.0/8 but instead only the 10.192.0.0/16 to avoid overlapping
issues with the 10.254.4.0/24 on the other side.

2. Remove the inside-nat permit ip any any on the PIX-525

Let me know.

Federico.

Re: Need to help configure second network for site to site ipsec

rana.samir — Thu, 03 Jun 2010 19:49:59 GMT

Hi Federico,

It does not work.

Any more idea how can i do this.

Also I can not ping my 10.192.x.x network from 192.168.1.x network.

Waiting for your kind reply.

Thanks,

Samir

Re: Need to help configure second network for site to site ipsec

Federico Coto Fajardo — Thu, 03 Jun 2010 20:20:55 GMT

On the PIX-525, this statement is wrong:
route inside 0.0.0.0 0.0.0.0 10.97.100.1 1

The default gateway should be to the outside.

Also make sure that PIX can reach the internal networks 10.192.0.0/16 and 192.168.2.0/24 since are not directly connected to the PIX.

On the PIX-515 include this:
nat (EMIT-TEST) 0 access-list inside_outbound_nat0_acl

Federico.

Re: Need to help configure second network for site to site ipsec

rana.samir — Thu, 03 Jun 2010 21:32:51 GMT

Hi Federico,

As per your previous comments, I did changed configuration. and my existing tunnel get down.

How can I restore that one ?

Thanks in advance.

Regards,

Samir Rana

Re: Need to help configure second network for site to site ipsec

Federico Coto Fajardo — Thu, 03 Jun 2010 23:00:03 GMT

What changes you made?

Remove this route?

route inside 0.0.0.0 0.0.0.0 10.97.100.1 1

Put it back in.

What else?

Federico.