Solved: Access to remote network through VPN

gavinfoster · ‎01-16-2011

Hello Experts,

I have a PIX 515 with a Cisco 1841 router connected to the inside interface. I have a remote access VPN set up on the PIX and I can use this to access ADSM remotely.

I also want to access one of the networks downstream from the 1841 router over the VPN.

So I have my home computer running the VPN client.

I have the PIX inside interface 192.168.254.1/24 connected to the 1841 router interface 0/0

I have another network 10.1.1.0/24 connected to the 1841 interface 0/1

I have added the 10.1.1.0 network to the pix split tunnel ACL so that traffic to this network is tunneled to the PIX.

When I try to ping anything on the 10.1.1.0 network from my home computer over the VPN I can see the PIX error message 305005, "No translation group found........." so I know the ping reached the PIX but it looks as if the PIX doesn't know what to do with it.

When I try to ping my home computer (through the VPN tunnel) from a host on the 10.1.1.0 network, I can see the echo request arrive on my PC but the SRC address of the ping has been NATTED to the outside interface of the PIX, (it still came down the tunnel), and my PC sends the echo reply back to the outside address of the pix which is then dropped.

Can someone tell me how to configure the pix to allow access to the 10.1.1.0 network from the VPN client? I suspect I have to stop NATTing traffic on that route but I'm out of my depth.

Many thanks.

Federico Coto Fajardo · ‎01-16-2011

Hi,

It seems that you're almost there...

What you're missing is to include the network in the bypass NAT statements.

So, you have included the 10.1.1.0/24 in the split tunneling --> this will send this traffic through the tunnel

But you also have to include the network in the NAT0 rule.

For example:

access-list nonat permit ip 10.1.1.0 255.255.255.0 x.x.x.x 255.255.255.0

nat (inside) 0 access-list nonat

Just change the x.x.x.x above for the VPN pool defined.

What happens is that if you don't include the network in the NAT0, then the PIX will attempt to NAT the traffic through the tunnel.

Hope it helps.

Federicol

View solution in original post

Federico Coto Fajardo · ‎01-16-2011

Hi,

It seems that you're almost there...

What you're missing is to include the network in the bypass NAT statements.

So, you have included the 10.1.1.0/24 in the split tunneling --> this will send this traffic through the tunnel

But you also have to include the network in the NAT0 rule.

For example:

access-list nonat permit ip 10.1.1.0 255.255.255.0 x.x.x.x 255.255.255.0

nat (inside) 0 access-list nonat

Just change the x.x.x.x above for the VPN pool defined.

What happens is that if you don't include the network in the NAT0, then the PIX will attempt to NAT the traffic through the tunnel.

Hope it helps.

Federicol

gavinfoster · ‎01-17-2011

Federico,

You are a genius!

I added your NAT bypass access list and my application began talking to the remote network immediately!

I forgot to add im my original post that I had a static route for the 10.1.1.0 network to send it to the 0/0 interface on the 1841 router.

As you correctly pointed out, all I needed to do was to stop the PIX from natting the 10.1.1.0 packets when they were destined to go down the VPN tunnel.

Many thanks

Gavin

Federico Coto Fajardo · ‎01-17-2011

Gavin,

Not sure about the genius part :-)

But I'm glad I could help!

Cheers!

Federico.