Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
479
Views
6
Helpful
4
Replies

Access LAN behind PIX

vanagon2tdi
Level 1
Level 1

‎11-18-2004 07:53 AM - edited ‎02-20-2020 11:45 PM

I am trying to allow remote access to the LAN sitting behind my PIX. I am using the Cisco VPN client and have maaged to get authenticated, but I am unable to see the LAN (10.254.254.0/24) behind it. Any clues as to what I am missing?

Also I am trying to allow SSH through the PIX to a router sitting behind it. I created a sub interface on the router with a public address, and made sure the PIX was not NAT’ing it. I also created an access list rule that would allow SSH from my IP to the public one sitting behind the PIX. I do not get any connectivity. Any ideas?

Thanks,

Dave

0 Helpful
4 Replies 4

jmia
Level 7
Level 7

‎11-18-2004 08:01 AM

Dave,

Can you post your config pls, here's a example for you to compare with:

access-list nonat permit ip 10.0.10.0 255.255.255.0 10.0.6.0 255.255.255.128

access-list 100 permit ip 10.0.10.0 255.255.255.0 10.0.6.0 255.255.255.128

ip local pool RASPool 10.0.6.1-10.0.6.100

nat (inside) 0 access-list nonat

sysopt connection permit-ipsec

crypto ipsec transform-set vpn_users esp-3des esp-md5-hmac

crypto dynamic-map dynmap 10 set transform-set vpn_users

crypto map mymap 10 ipsec-isakmp dynamic dynmap

crypto map mymap interface outside

isakmp enable outside

isakmp identity address

isakmp nat-traversal

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup vpnras address-pool RASPool

vpngroup vpnras dns-server

vpngroup vpnras wins-server

vpngroup vpnras default-domain

vpngroup vpnras idle-time 1800

vpngroup vpnras password

vpngroup vpnras split-tunnel 100

The above crypto access-list mask (255.255.255.128) will provide 100 ip addresses for the vpn users, you can increase this to suite your needs.

Let me know,

Jay

vanagon2tdi
Level 1
Level 1
In response to jmia

‎11-22-2004 10:23 AM

I have posted my configs. If you can take a look when you have a minute that would be great.

Note, i am using the PDM and have little knowledge of a PIX command line (but learning slowly)

Thanks.

Dave

0 Helpful

sachinraja
Level 9
Level 9

‎11-22-2004 05:35 AM

Hello dave,

if you are not able to connect to the LAN after connecting to the VPN , there might be a couple of issuses :

1) routing inside the PIX . in case this network is not directly connected to pix inside, make sure you route it to the appropriate layer 3 switch.. make sure the reverse route to the IP pool is available on the switch and the layer 3 switch.

2) in case the IP pool is in a different network other than your PIX inside network, you need to nonat the traffic. make sure you do this right, with the source as your local network (10.254.254.0/24) and destination as the IP pool..

eg: IP pool - 10.1.1.0/24

access-list nonat permit ip 10.254.254.0 255.255.255.0 10.1.1.0 255.255.255.0

3) In case you have inside access-lists on the PIX, make sure you allow 10.254.254.0 to communicate with the IP pool.

All the best.. rate all replies if found useful...

vanagon2tdi
Level 1
Level 1
In response to sachinraja

‎11-22-2004 10:18 AM

below is a copy of my config. Can you see what i may be missing.

On the inside router 10.254.254.1 i have a route saying to get to 192.168.10.0 goto 10.1.1.101 and no access-lists

When i connect with my Cisco VPN client i get connected and see traffic going out but none coming in.

access-list inside_outbound_nat0_acl permit ip any 192.168.10.0 255.255.255.128

access-list outside_cryptomap_dyn_40 permit ip any 192.168.10.0 255.255.255.128

ip address inside 10.1.1.101 255.255.255.252

ip local pool Cisco Dave-192.168.10.100 mask 255.255.255.0

pdm location 192.168.10.0 255.255.255.128 outside

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 10 0.0.0.0 0.0.0.0 0 0

http 192.168.10.0 255.255.255.0 inside

sysopt connection permit-ipsec

sysopt connection permit-l2tp

crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5

crypto dynamic-map outside_dyn_map_1 20 set transform-set ESP-3DES-MD5

crypto dynamic-map outside_dyn_map_1 40 match address outside_cryptomap_dyn_40

crypto dynamic-map outside_dyn_map_1 40 set transform-set ESP-3DES-MD5

crypto map outside_map 20 ipsec-isakmp

crypto map outside_map 20 match address outside_cryptomap_20

crypto map outside_map 20 set transform-set ESP-3DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map_1

crypto map outside_map client authentication LOCAL

crypto map outside_map interface outside

isakmp enable outside

isakmp policy 20 authentication rsa-sig

isakmp policy 20 encryption 3des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

isakmp policy 40 authentication pre-share

isakmp policy 40 encryption 3des

isakmp policy 40 hash md5

isakmp policy 40 group 2

isakmp policy 40 lifetime 86400

ssh 192.168.10.0 255.255.255.0 inside

ssh timeout 5

management-access inside

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card