01-27-2009 10:53 PM - edited 03-11-2019 07:43 AM
Hi,
I have 2 Cisco Pix(Pix1, Pix2) 515E(8.0.4). Between these devices exist L2L VPN, which are configured on outside interfaces. On Pix2 I configured remote access VPN on outside interace, too.
Is it possible to reach LAN behind Pix1, by using remote access VPN on Pix2 and then L2L VPN?
I don't want to configure remote access on Pix1.
Many thanks.
Regards,
Vladislav
Solved! Go to Solution.
01-29-2009 04:45 AM
nat (oustide) 1 140.40.30.0 255.255.255.0 ( PAT for RA vpn for internet access if u r doing full tunnel)
This is simply because I configured RA tunnel as full tunnel instead of split,nat (oustide ) 1 allows RA pool 140.40.30.0 have internet access through your ASA_SITE_B firewall and be translated with global ID 1 which is your outside interface of SA_SITE_B firewall. This has nothing to do with what you are trying to accomplish but I posted it since it was part of very common scenario. there are some instances for example in PIX 6.3 where you will need split tunnel so that the RA users can have internet access not going through the encrypted tunnel, code 6.0 does not support intra-interface feature but code 7.x above does. Other examples are some folks configure split RA tunnel for RA user be able to access their local resources in their homes like network printers etc..
It is therefore, I need to translate RA pool to 172.27.1.0/24?
no there is no address translation in place in this working scenario and you do not need to translate anything as long there is no overlapping networks in any of the SITES u do not need to translate, this scenario is completely nonat exempt as you are doing nat exempt access lists in both firewalls for the Networks involved in communicating through ASA_SITE_B tunnels.
Because, I want to see on PIX_SITE_A only IP addresses from 172.27.1.0/24, not 140.40.30.0/24. Is it possible to do it this way?
Im not clear on this question but if I think what it means it is possible but you will need to do Policy NATing but I think this will make configuration complicated , I would suggest to make this as simple as you can.
Regards
PLS rate any helpful posts if it helped
01-28-2009 05:59 AM
Vladislav,
Yes it is possible, it is all about tayloring the nonat access list and add RA Network IP scheme in your L2L acls at both sites for interesting traffic.
This link depicts a similar example which can be applied in your scenario.
Regards
01-28-2009 02:47 PM
Vladislav
One important thing to remember about getting this to work is that if you use remote access to get to pix2 and then want it to forward your traffic to pix1 then you will need to enable same security level intra interface traffic.
HTH
Rick
01-28-2009 04:33 PM
Rick is correct as well in same sec intra interface in pix2 if RA is comming throght pix2,literally pix2 will be treated as the hub , pix1 and RA sort of as the spokes.
I had to lab this one out.
this is a fully working scenario, PIX_site_A and PIX_Site_B there is L2L tunnel, in ASA_Site_B RA comes in.
PIX_SITE_A (PIX506 6.3.5)
Inside Subnet 172.16.1.0/24
ASA_SITE_B (ASA5505 8.0.4)
Inside subnet 172.27.1.0/24
RA VPN Pool network 140.40.30.0/24
L2L Ipsec from PIX_SITE_A towards ASA_SITE_B
PIX_SITE_A
name 140.40.40.0 RA_NETWORK_ciscolab
pdm location 140.40.40.0 255.255.255.0 outside
access-list inside_outbound_nat0_acl permit ip 172.16.1.0 255.255.255.0 140.40.30.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 172.16.1.0 255.255.255.0 172.27.1.0 255.255.255.0
access-list outside_cryptomap_20 permit ip 172.16.1.0 255.255.255.0 140.40.30.0 255.255.255.0
access-list outside_cryptomap_20 permit ip 172.16.1.0 255.255.255.0 172.27.1.0 255.255.255.0
nat (inside) 0 access-list inside_outbound_nat0_acl
ASA_SITE_B
access-list inside_nat0_outbound extended permit ip 140.40.30.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.27.1.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list outside_cryptomap extended permit ip 140.40.30.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list outside_cryptomap extended permit ip 172.27.1.0 255.255.255.0 172.16.1.0 255.255.255.0
RA will access PIX_SITE_A through ASA_SITE_B oustide interface L2L Ipsec tunnel you will need nat exempt acl on outside interface
would look similar to :
nat (oustide) 1 140.40.30.0 255.255.255.0 ( PAT for RA vpn for internet acces if u r doing full tunnel)
same-security-traffic permit intra-interface
I had to add nat outside 0 as I was getting portmap translation fail from PIX_SITE_A 172.16.1.x host to RA host 140.40.30.x in ASA_SITE_B
nat (outside) 0 access-list inside_nat0_outbound
As long your L2L tunnel is UP at all times RA Network 140.40.30.0/24 from ASA_SITE_B will be able to access resources on
PIX_SITE_A and vice versa
Regards
01-29-2009 03:30 AM
Thanks, it looks good.
I have some subquestion.
1. Could you please explain me this statement?
nat (oustide) 1 140.40.30.0 255.255.255.0 ( PAT for RA vpn for internet access if u r doing full tunnel)
It is therefore, I need to translate RA pool to 172.27.1.0/24?
Because, I want to see on PIX_SITE_A only IP addresses from 172.27.1.0/24, not 140.40.30.0/24.
Is it possible to do it this way?
Vladislav
01-29-2009 04:45 AM
nat (oustide) 1 140.40.30.0 255.255.255.0 ( PAT for RA vpn for internet access if u r doing full tunnel)
This is simply because I configured RA tunnel as full tunnel instead of split,nat (oustide ) 1 allows RA pool 140.40.30.0 have internet access through your ASA_SITE_B firewall and be translated with global ID 1 which is your outside interface of SA_SITE_B firewall. This has nothing to do with what you are trying to accomplish but I posted it since it was part of very common scenario. there are some instances for example in PIX 6.3 where you will need split tunnel so that the RA users can have internet access not going through the encrypted tunnel, code 6.0 does not support intra-interface feature but code 7.x above does. Other examples are some folks configure split RA tunnel for RA user be able to access their local resources in their homes like network printers etc..
It is therefore, I need to translate RA pool to 172.27.1.0/24?
no there is no address translation in place in this working scenario and you do not need to translate anything as long there is no overlapping networks in any of the SITES u do not need to translate, this scenario is completely nonat exempt as you are doing nat exempt access lists in both firewalls for the Networks involved in communicating through ASA_SITE_B tunnels.
Because, I want to see on PIX_SITE_A only IP addresses from 172.27.1.0/24, not 140.40.30.0/24. Is it possible to do it this way?
Im not clear on this question but if I think what it means it is possible but you will need to do Policy NATing but I think this will make configuration complicated , I would suggest to make this as simple as you can.
Regards
PLS rate any helpful posts if it helped
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide