topic Re: VPN on PIX in Network Security

VPN on PIX

ray_stone — Mon, 11 Mar 2019 12:18:00 GMT

Hi, We have configured Pix firewall on two sites and both are connected by Tunnel and everything is working fine and as well as we have configured remote vpn on both firewall and we have set the DHCP range of remote Vpn which is different of the inside network and configured exempt traffic between Vpn and Inside network in both firewall. But now I want that the Vpn client nodes access the other fireall inside network as well. Details are given below:-

1) First Firewall (India) Conf:-

Inside 192.168.12.0/24

Outside *.*.*.*

VPN DHCP Range 192.168.253.0\24

2)Second Firewall conf:-

Inside 192.168.10.0/254

Outside :- ****

VPN DHCP Range 192.168.252.0/24

Now what configuration should I made so that the vpn client of ist firewall could able to access the other Firewall network. And is it possible on Pix 500 series or ASA Series. Thanks

Re: VPN on PIX

ray_stone — Sat, 15 Mar 2008 13:04:47 GMT

can anyone reply??

Re: VPN on PIX

cisco24x7 — Sun, 16 Mar 2008 13:04:57 GMT

Definitely possible. It's called hairpin.

you can do it with Pix or ASA in version

7.x or higher.

CCIE Security

Re: VPN on PIX

francisco_1 — Sun, 16 Mar 2008 15:31:32 GMT

firstly make sure the tunnel is active between both firewalls and make sure both firewalls can ping each other inside interface.

since your ipsec tunnel already exit between your PIX you only need to define the traffic you are interested in on your ipsec tunnel between your pix.

for example, to allow the first firewall vpn clients (192.168.253.0/24) to access firewall 2 inside interface (192.168.10.0/24), you will need to Defines interesting traffic that is protected by the IPSec tunnel

on firewall 2:

1, Defines interesting traffic that is protected by the IPSec tunnel.

access-list 101 (use current acl applied to your currect ipsec policy) permit ip 192.168.10.0 255.255.255.0 192.168.253.0 255.255.255.0

2, Do not perform NAT for traffic to other PIX Firewall.

access-list inside_nat0_outbound permit ip 192.168.10.0 255.255.255.0 192.168.253.0 255.255.255.0

3, Tell the PIX not to NAT any traffic deemed interesting for IPSec.

nat (inside) 0 access-list 101

Might be a good idea to upload your pix vpn config so i can be more helpful.

Franco.

Re: VPN on PIX

francisco_1 — Sun, 16 Mar 2008 15:32:18 GMT

i suggest you use the PIX PDM to make changes instead if you are not familiar with the CLI.

Re: VPN on PIX

ray_stone — Fri, 06 Jun 2008 10:57:56 GMT

Hi, I went with the same above example but not able to access the Firewall 2 inside network as I am connecting to Firewall 1 by remote VPN. Now anyone give me the solution.

Is it required any access-list crypto setting?

The site to site tunnel is set with esp-des-md5 but when i connect to VPN and see the status then it shows the encryption 128 AES and authentication Hmac-sha1Thanks

Re: VPN on PIX

ray_stone — Fri, 06 Jun 2008 11:51:55 GMT

Hi, can anyone responds please... I have to resolve this issue on priority basis. Thanks

Re: VPN on PIX

ray_stone — Fri, 06 Jun 2008 12:02:16 GMT

Please respond asap.

Re: VPN on PIX

Alan Huseyin Kayahan — Fri, 06 Jun 2008 12:02:57 GMT

Hi Ray,

1) A very important detail, what you want to do is allowing traffic which enters outside interface to exit the same interface. (VPN client at outside interface enters interface and exits to VPN tunnel that is again connected to outside) This is called hairpinning or U-Turn. And the command which enables this is NOT! same-security-traffic permit inter-interface. It is intra-interface

2)Exempt NAT statement should not be applied to inside interface. This traffic never enters inside.

India

access-list outside_nat0_outbound permit ip 192.168.253.0 255.255.255.0 192.168.10.0 255.255.255.0

nat (outside) 0 access-list outside_nat0_outbound outside

access-list Interestingtrafficacl permit ip 192.168.253.0 255.255.255.0 192.168.10.0

same-security-traffic permit intra-interface

clear xlate

Second Firewall

access-list outside_nat0_outbound permit ip 192.168.252.0 255.255.255.0 192.168.12.0 255.255.255.0

nat (outside) 0 access-list outside_nat0_outbound outside

access-list Interestingtrafficacl permit ip 192.168.252.0 255.255.255.0 192.168.12.0

same-security-traffic permit intra-interface

clear xlate

If you post sanitized config of sites, I will do on-config corrections

Regards

Re: VPN on PIX

ray_stone — Fri, 06 Jun 2008 12:14:11 GMT

I didn't able to understand following command:-

same-security-traffic permit intra-interface

Thanks

Re: VPN on PIX

Alan Huseyin Kayahan — Fri, 06 Jun 2008 12:17:19 GMT

As I explained, it will make you able to connect your VPN client which is terminated at outside interface of firewall1 over the tunnel to the remote VPN peer firewall2 which is also terminated at outside interface. Simply follow the commands I posted

Re: VPN on PIX

ray_stone — Fri, 06 Jun 2008 12:34:57 GMT

Hi, both FW configuration are attached and here I would like to provide the access of VPN only on India FW and want to access other DMZ and Inside network of Rwanda FW. Please suggest which of the command has to be add and which of the commands has to be remove. Thanks.

Re: VPN on PIX

Alan Huseyin Kayahan — Fri, 06 Jun 2008 12:56:05 GMT

India

access-list outside_nat0_outbound permit ip 192.168.13.0 255.255.255.0 192.168.50.0 255.255.255.0

access-list outside_nat0_outbound permit ip 192.168.13.0 255.255.255.0 192.168.51.0 255.255.255.0

nat (outside) 0 access-list outside_nat0_outbound outside

access-list outside_cryptomap_2 extended permit ip 192.168.13.0 255.255.255.0 192.168.50.0 255.255.255.0

access-list outside_cryptomap_2 extended permit ip 192.168.13.0 255.255.255.0 192.168.51.0 255.255.255.0

clear xlate

Rwanda

access-list outside_cryptomap_1 extended permit ip 192.168.51.0 255.255.255.0 192.168.13.0 255.255.255.0

access-list outside_cryptomap_1 extended permit ip 192.168.50.0 255.255.255.0 192.168.13.0 255.255.255.0

Do the above in their respective order

Re: VPN on PIX

ray_stone — Fri, 06 Jun 2008 13:34:30 GMT

Thanks everyone... The problem has been solved. I appreciate...

Re: VPN on PIX

Alan Huseyin Kayahan — Fri, 06 Jun 2008 13:36:00 GMT

You are welcome 🙂

Re: VPN on PIX

ray_stone — Fri, 06 Jun 2008 13:45:24 GMT

Hey, how can i start the ping from Vpn to firewall rwanda network. Thanks

Re: VPN on PIX

ray_stone — Sat, 07 Jun 2008 05:28:36 GMT

After connecting VPN, when I try to ping the Rwanda Network then the ICMP request is getting blocked as I review in ASDM login details. Anyone suggest what should I do to open ICMP request. Thanks..

Re: VPN on PIX

Alan Huseyin Kayahan — Sat, 07 Jun 2008 12:30:10 GMT

Ray,

In both india and Rwanda, add the following

policy-map global_policy

class inspection_default

inspect icmp