Re: PIX Tunnel routing problem

gjohnson1963 · ‎11-18-2004

I have a PIX 515 and PIX 501with a VPN tunnel between the two

I have no problem accessing ether site inside interface through the VPN tunnel.

My PIX 515E has a D-PRIV interface and I need to access the D-PRIV from my PIX 501

What changes need to be made for the PIX 501 can access the D-PRIV

PIX 515 -- VPN Tunnel--- PIX 501

Inside D-PRIV Inside

192.168.1.x 192.168.2.x 172.16.1.x

scoclayton · ‎11-18-2004

I think I get the jist of what you are saying. You are trying to access hosts on another interface on the PIX 515 from hosts inside the PIX 501 across the VPN tunnel. If this is the case, all you should need to do is add the 192.168.2.X subnet to your crypto access-list and also account for in your nonat access-list (I assume you have this). Something like:

existing on the 515:

access-list crypto permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0

existing on the 501:

access-list crypto permit ip 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0

changes on the 515:

access-list crypto permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0

access-list crypto permit ip 192.168.2.0 255.255.255.0 172.16.1.0 255.255.255.0

changes on the 501:

access-list crypto permit ip 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list crypto permit ip 172.16.1.0 255.255.255.0 192.168.2.0 255.255.255.0

Hope this makes sense. You will need to modify the translations on the 515 as well to account for the traffic from the DMZ hosts back across the tunnel. This should be similar to however you have the inside hosts setup (something like a nat (intf) 0 ACL).

Scott

gjohnson1963 · ‎12-16-2004

Scott, I had no luck, here is my configs.

515:

PIX Version 6.3(3)

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 d-priv security50

access-list alert-interval 2000

access-list dmz-in permit ip 192.168.60.0 255.255.255.0 any

access-list nonat permit ip 192.168.50.0 255.255.255.0 172.16.1.0 255.255.255.0

access-list nonat permit ip 192.168.60.0 255.255.255.0 172.16.1.0 255.255.255.0

access-list vpnclient_splitTunnelAcl permit ip 192.168.50.0 255.255.255.0 any

ip address outside xx.xx.xx.xx 255.255.xx.xx

ip address inside 192.168.50.1 255.255.255.0

ip address d-priv 192.168.60.1 255.255.255.0

pdm location 192.168.50.0 255.255.255.0 inside

global (outside) 1 xx.xx.xx.xx

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

access-group 100 in interface outside

access-group dmz-in in interface d-priv

route outside 0.0.0.0 0.0.0.0 xx.xx.xx.xx 1

crypto ipsec transform-set michigan esp-des esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 3600 kilobytes 4608000

crypto map ann_arbor 21 ipsec-isakmp

crypto map ann_arbor 21 match address vpn

crypto map ann_arbor 21 set peer xx.xx.xx.xx

crypto map ann_arbor 21 set transform-set michigan

crypto map ann_arbor 21 set security-association lifetime seconds 3600 kilobytes 4608000

crypto map ann_arbor 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map ann_arbor interface outside

isakmp enable outside

isakmp key ******** address xx.xx.xx.xx netmask 255.255.255.255

isakmp identity address

isakmp policy 21 authentication pre-share

isakmp policy 21 encryption des

isakmp policy 21 hash md5

isakmp policy 21 group 1

isakmp policy 21 lifetime 86400

501:

PIX Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

access-list nonat permit ip 172.16.1.0 255.255.255.0 192.168.50.0 255.255.255.0

interface ethernet0 10baset

interface ethernet1 10full

ip address outside xx.xx.xx.xx 255.255.255.248

ip address inside 172.16.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location 172.16.1.10 255.255.255.255 inside

global (outside) 1 xx.xx.xx.xx

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

access-group 100 in interface outside

route outside 0.0.0.0 0.0.0.0 xx.xx.xx.xx 1

floodguard enable

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set michigan esp-des esp-md5-hmac

crypto map ann_arbor 21 ipsec-isakmp

crypto map ann_arbor 21 match address nonat

crypto map ann_arbor 21 set peer xx.xx.xx.xx

crypto map ann_arbor 21 set transform-set michigan

crypto map ann_arbor 21 set security-association lifetime seconds 3600 kilobytes

4608000

crypto map ann_arbor interface outside

isakmp enable outside

isakmp key ******** address xx.xx.xx.xx netmask 255.255.255.255

isakmp identity address

isakmp policy 21 authentication pre-share

isakmp policy 21 encryption des

isakmp policy 21 hash md5

isakmp policy 21 group 1

isakmp policy 21 lifetime 86400

telnet 172.16.1.0 255.255.255.0 inside

telnet timeout 20

ssh 192.168.50.0 255.255.255.0 inside

ssh timeout 10

username admin password xxxxxxxxxxxxxxx encrypted privilege 15

terminal width 80

: end

Hope you can help

scoclayton · ‎12-16-2004

What happened to your "vpn" access-list on the 515?

Try adding the following:

on the 515:

access-list vpn permit ip 192.168.50.0 255.255.255.0 172.16.1.0 255.255.255.0

access-list vpn permit ip 192.168.60.0 255.255.255.0 172.16.1.0 255.255.255.0

nat (d-priv) 0 access-list nonat

You may also want to enable "sysopt connection permit-ipsec" on the 515 as well. I don't know if you just omitted this when you were pasting the config.

on the 501:

access-list nonat permit ip 172.16.1.0 255.255.255.0 192.168.60.0 255.255.255.0

access-list vpn permit ip 172.16.1.0 255.255.255.0 192.168.50.0 255.255.255.0

access-list vpn permit ip 172.16.1.0 255.255.255.0 192.168.60.0 255.255.255.0

and change on the 501:

crypto map ann_arbor 21 match address nonat

to

crypto map ann_arbor 21 match address vpn

That should do the trick.

Hope this helps.

Scott

gjohnson1963 · ‎12-28-2004

Scott

I made the changes and still not working. Here are the full configs, maybe I am missing something.

501:

PIX Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

hostname PIX-xxx

domain-name xxxx.com

access-list nonat permit ip 172.16.1.0 255.255.255.0 192.168.50.0 255.255.255.0

access-list vpn permit ip 172.16.1.0 255.255.255.0 192.168.50.0 255.255.255.0

access-list vpn permit ip 172.16.1.0 255.255.255.0 192.168.60.0 255.255.255.0

interface ethernet0 10baset

interface ethernet1 10full

ip address outside XX.XX.XX.XX 255.255.255.248

ip address inside 172.16.1.1 255.255.255.0

global (outside) 1 XX.XX.XX.XX

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

route outside 0.0.0.0 0.0.0.0 XX.XX.XX.XX 1

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set michigan esp-des esp-md5-hmac

crypto map ann_arbor 21 ipsec-isakmp

crypto map ann_arbor 21 match address vpn

crypto map ann_arbor 21 set peer XX.XX.XX.XX

crypto map ann_arbor 21 set transform-set michigan

crypto map ann_arbor 21 set security-association lifetime seconds 3600 kilobytes 4608000

crypto map ann_arbor interface outside

isakmp enable outside

isakmp key ******** address XX.XX.XX.XX netmask 255.255.255.255

isakmp identity address

isakmp policy 21 authentication pre-share

isakmp policy 21 encryption des

isakmp policy 21 hash md5

isakmp policy 21 group 1

isakmp policy 21 lifetime 86400

515:

PIX Version 6.3(3)

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 d-priv security50

hostname xxx-pix

domain-name xxxx.com

access-list alert-interval 2000

access-list dmz-in permit ip 192.168.60.0 255.255.255.0 any

access-list nonat permit ip 192.168.50.0 255.255.255.0 172.16.1.0 255.255.255.0

access-list nonat permit ip 192.168.50.0 255.255.255.0 host 192.168.60.52

access-list nonat permit ip 192.168.50.0 255.255.255.0 172.21.1.0 255.255.255.0

access-list nonat permit ip 192.168.60.0 255.255.255.0 172.16.1.0 255.255.255.0

access-list outside_cryptomap_dyn_20 permit ip any 172.21.1.0 255.255.255.0

access-list vpn permit ip 192.168.50.0 255.255.255.0 172.16.1.0 255.255.255.0

access-list vpn permit ip 192.168.60.0 255.255.255.0 172.16.1.0 255.255.255.0

ip address outside xx.xx.xx.xx 255.255.255.128

ip address inside 192.168.50.1 255.255.255.0

ip address d-priv 192.168.60.1 255.255.255.0

ip local pool vpnpool1 172.21.1.100-172.21.1.199

global (outside) 1 xx.xx.xx.xx

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

nat (d-priv) 0 access-list nonat

access-group 100 in interface outside

access-group dmz-in in interface d-priv

route outside 0.0.0.0 0.0.0.0 xx.xx.xx.xx 1

sysopt connection permit-ipsec

crypto ipsec transform-set michigan esp-des esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds

3600 kilobytes 4608000

crypto map ann_arbor 21 ipsec-isakmp

crypto map ann_arbor 21 match address vpn

crypto map ann_arbor 21 set peer xx.xx.xx.xx

crypto map ann_arbor 21 set transform-set michigan

crypto map ann_arbor 21 set security-association lifetime seconds 3600 kilobytes

4608000

crypto map ann_arbor 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map ann_arbor interface outside

isakmp enable outside

isakmp key ******** address XX.XX.XX.XX netmask 255.255.255.255

isakmp identity address

isakmp policy 21 authentication pre-share

isakmp policy 21 encryption des

isakmp policy 21 hash md5

isakmp policy 21 group 1

isakmp policy 21 lifetime 86400

gjohnson1963 · ‎01-04-2005

Scott

I got it to work by changing nat (d-priv) 0 access-list nonat to nat (d-priv) 0 access-list vpn.

I have one more problem with my VPN Clients, they can only access the 192.168.50.x network. Any ideas?