11-18-2004 12:50 PM - edited 02-20-2020 11:45 PM
I have a PIX 515 and PIX 501with a VPN tunnel between the two
I have no problem accessing ether site inside interface through the VPN tunnel.
My PIX 515E has a D-PRIV interface and I need to access the D-PRIV from my PIX 501
What changes need to be made for the PIX 501 can access the D-PRIV
PIX 515 -- VPN Tunnel--- PIX 501
Inside D-PRIV Inside
192.168.1.x 192.168.2.x 172.16.1.x
11-18-2004 03:22 PM
I think I get the jist of what you are saying. You are trying to access hosts on another interface on the PIX 515 from hosts inside the PIX 501 across the VPN tunnel. If this is the case, all you should need to do is add the 192.168.2.X subnet to your crypto access-list and also account for in your nonat access-list (I assume you have this). Something like:
existing on the 515:
access-list crypto permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0
existing on the 501:
access-list crypto permit ip 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0
changes on the 515:
access-list crypto permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list crypto permit ip 192.168.2.0 255.255.255.0 172.16.1.0 255.255.255.0
changes on the 501:
access-list crypto permit ip 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list crypto permit ip 172.16.1.0 255.255.255.0 192.168.2.0 255.255.255.0
Hope this makes sense. You will need to modify the translations on the 515 as well to account for the traffic from the DMZ hosts back across the tunnel. This should be similar to however you have the inside hosts setup (something like a nat (intf) 0 ACL).
Scott
12-16-2004 12:27 PM
Scott, I had no luck, here is my configs.
515:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 d-priv security50
access-list alert-interval 2000
access-list dmz-in permit ip 192.168.60.0 255.255.255.0 any
access-list nonat permit ip 192.168.50.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list nonat permit ip 192.168.60.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list vpnclient_splitTunnelAcl permit ip 192.168.50.0 255.255.255.0 any
ip address outside xx.xx.xx.xx 255.255.xx.xx
ip address inside 192.168.50.1 255.255.255.0
ip address d-priv 192.168.60.1 255.255.255.0
pdm location 192.168.50.0 255.255.255.0 inside
global (outside) 1 xx.xx.xx.xx
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group 100 in interface outside
access-group dmz-in in interface d-priv
route outside 0.0.0.0 0.0.0.0 xx.xx.xx.xx 1
crypto ipsec transform-set michigan esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 3600 kilobytes 4608000
crypto map ann_arbor 21 ipsec-isakmp
crypto map ann_arbor 21 match address vpn
crypto map ann_arbor 21 set peer xx.xx.xx.xx
crypto map ann_arbor 21 set transform-set michigan
crypto map ann_arbor 21 set security-association lifetime seconds 3600 kilobytes 4608000
crypto map ann_arbor 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map ann_arbor interface outside
isakmp enable outside
isakmp key ******** address xx.xx.xx.xx netmask 255.255.255.255
isakmp identity address
isakmp policy 21 authentication pre-share
isakmp policy 21 encryption des
isakmp policy 21 hash md5
isakmp policy 21 group 1
isakmp policy 21 lifetime 86400
501:
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
access-list nonat permit ip 172.16.1.0 255.255.255.0 192.168.50.0 255.255.255.0
interface ethernet0 10baset
interface ethernet1 10full
ip address outside xx.xx.xx.xx 255.255.255.248
ip address inside 172.16.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 172.16.1.10 255.255.255.255 inside
global (outside) 1 xx.xx.xx.xx
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 xx.xx.xx.xx 1
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set michigan esp-des esp-md5-hmac
crypto map ann_arbor 21 ipsec-isakmp
crypto map ann_arbor 21 match address nonat
crypto map ann_arbor 21 set peer xx.xx.xx.xx
crypto map ann_arbor 21 set transform-set michigan
crypto map ann_arbor 21 set security-association lifetime seconds 3600 kilobytes
4608000
crypto map ann_arbor interface outside
isakmp enable outside
isakmp key ******** address xx.xx.xx.xx netmask 255.255.255.255
isakmp identity address
isakmp policy 21 authentication pre-share
isakmp policy 21 encryption des
isakmp policy 21 hash md5
isakmp policy 21 group 1
isakmp policy 21 lifetime 86400
telnet 172.16.1.0 255.255.255.0 inside
telnet timeout 20
ssh 192.168.50.0 255.255.255.0 inside
ssh timeout 10
username admin password xxxxxxxxxxxxxxx encrypted privilege 15
terminal width 80
: end
Hope you can help
12-16-2004 01:23 PM
What happened to your "vpn" access-list on the 515?
Try adding the following:
on the 515:
access-list vpn permit ip 192.168.50.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list vpn permit ip 192.168.60.0 255.255.255.0 172.16.1.0 255.255.255.0
nat (d-priv) 0 access-list nonat
You may also want to enable "sysopt connection permit-ipsec" on the 515 as well. I don't know if you just omitted this when you were pasting the config.
on the 501:
access-list nonat permit ip 172.16.1.0 255.255.255.0 192.168.60.0 255.255.255.0
access-list vpn permit ip 172.16.1.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list vpn permit ip 172.16.1.0 255.255.255.0 192.168.60.0 255.255.255.0
and change on the 501:
crypto map ann_arbor 21 match address nonat
to
crypto map ann_arbor 21 match address vpn
That should do the trick.
Hope this helps.
Scott
12-28-2004 02:41 PM
Scott
I made the changes and still not working. Here are the full configs, maybe I am missing something.
501:
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname PIX-xxx
domain-name xxxx.com
access-list nonat permit ip 172.16.1.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list vpn permit ip 172.16.1.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list vpn permit ip 172.16.1.0 255.255.255.0 192.168.60.0 255.255.255.0
interface ethernet0 10baset
interface ethernet1 10full
ip address outside XX.XX.XX.XX 255.255.255.248
ip address inside 172.16.1.1 255.255.255.0
global (outside) 1 XX.XX.XX.XX
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 XX.XX.XX.XX 1
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set michigan esp-des esp-md5-hmac
crypto map ann_arbor 21 ipsec-isakmp
crypto map ann_arbor 21 match address vpn
crypto map ann_arbor 21 set peer XX.XX.XX.XX
crypto map ann_arbor 21 set transform-set michigan
crypto map ann_arbor 21 set security-association lifetime seconds 3600 kilobytes 4608000
crypto map ann_arbor interface outside
isakmp enable outside
isakmp key ******** address XX.XX.XX.XX netmask 255.255.255.255
isakmp identity address
isakmp policy 21 authentication pre-share
isakmp policy 21 encryption des
isakmp policy 21 hash md5
isakmp policy 21 group 1
isakmp policy 21 lifetime 86400
515:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 d-priv security50
hostname xxx-pix
domain-name xxxx.com
access-list alert-interval 2000
access-list dmz-in permit ip 192.168.60.0 255.255.255.0 any
access-list nonat permit ip 192.168.50.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list nonat permit ip 192.168.50.0 255.255.255.0 host 192.168.60.52
access-list nonat permit ip 192.168.50.0 255.255.255.0 172.21.1.0 255.255.255.0
access-list nonat permit ip 192.168.60.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list outside_cryptomap_dyn_20 permit ip any 172.21.1.0 255.255.255.0
access-list vpn permit ip 192.168.50.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list vpn permit ip 192.168.60.0 255.255.255.0 172.16.1.0 255.255.255.0
ip address outside xx.xx.xx.xx 255.255.255.128
ip address inside 192.168.50.1 255.255.255.0
ip address d-priv 192.168.60.1 255.255.255.0
ip local pool vpnpool1 172.21.1.100-172.21.1.199
global (outside) 1 xx.xx.xx.xx
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (d-priv) 0 access-list nonat
access-group 100 in interface outside
access-group dmz-in in interface d-priv
route outside 0.0.0.0 0.0.0.0 xx.xx.xx.xx 1
sysopt connection permit-ipsec
crypto ipsec transform-set michigan esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds
3600 kilobytes 4608000
crypto map ann_arbor 21 ipsec-isakmp
crypto map ann_arbor 21 match address vpn
crypto map ann_arbor 21 set peer xx.xx.xx.xx
crypto map ann_arbor 21 set transform-set michigan
crypto map ann_arbor 21 set security-association lifetime seconds 3600 kilobytes
4608000
crypto map ann_arbor 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map ann_arbor interface outside
isakmp enable outside
isakmp key ******** address XX.XX.XX.XX netmask 255.255.255.255
isakmp identity address
isakmp policy 21 authentication pre-share
isakmp policy 21 encryption des
isakmp policy 21 hash md5
isakmp policy 21 group 1
isakmp policy 21 lifetime 86400
01-04-2005 01:49 PM
Scott
I got it to work by changing nat (d-priv) 0 access-list nonat to nat (d-priv) 0 access-list vpn.
I have one more problem with my VPN Clients, they can only access the 192.168.50.x network. Any ideas?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide