cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
952
Views
0
Helpful
6
Replies

Separate routing for VPN traffic on Pix?

cgartmann
Level 1
Level 1

Pix 515 V7.0.2: Road-warriors create VPN connections through the "outside" interface. Now I would like to have ALL traffic arriving via the tunnel directed to the inside interface. As "road-warrior" as no fixed IP address I have a default route to the outside interface. In addition I have static routes towards the inside interface into our LAN. So things are working as expeted as long as road-warrios connect to host in our LAN. But as soon as they try to connect to the Internet this doesn't work. I assume the Pix directs the packets back to "outside" because of the default route. Instead they should go through "inside". Is there a way to achieve what I want? I tried a default route to "inside" with the "tunneled" statement with no luck.

Regards,

Christoph Gartmann

6 Replies 6

mostiguy
Level 6
Level 6

Sounds like the classic problem of pixen not allowing traffic to leave the same interface it came in on. VPN user's internet traffic wants to enter and leave the outside interface. 7.0 changed this -

same-security-traffic permit intra-interface

Is a new command that tells the PIX to allow traffic to leave the same int it came in on.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008046f307.shtml

CHeck out pix 1 in that config - It is the config for both end user vpns, and hub and spoke vpns. You should be able to get a feel from it for how you can allow vpn users to have internet access

No, this is not the case. VPN connections arrive on the outside interface. All I want is this: the packets from the VPN tunnel should all go through the inside interface (once they have been decrypted).

I tried a default route to "outside" and a default route "tunneled" to inside but this doesn't work.

It looks as if I need policy routing, e.g. route all packets with a source address of the VPN address pool towards inside. In fact, interface inside is part of a VLAN and I would like to put the traffic arriving through VPN into this VLAN, even the traffic that is directed toward the Internet. This VLAN has its own connection to the internet which is not via this "VPN pix" in question.

The V7.0 docs claim that it is somehow possible but I couldn't find an example.

Regards,

Christoph Gartmann

Hi,

Would you please post the configuration?

PIX Version 7.0(2)

names

!

interface Ethernet0

nameif outside

security-level 0

ip address 195.37.33.1 255.255.255.0

!

interface Ethernet1

nameif inside

security-level 100

ip address 192.168.1.38 255.255.255.0

!

access-list aclinside extended permit ip any host 10.1.5.79

access-list testlist extended permit ip any any

ip local pool adpool 10.1.5.79 mask 255.255.0.0

no asdm history enable

arp timeout 1800

nat-control

nat (inside) 0 access-list aclinside

route outside 0.0.0.0 0.0.0.0 195.37.33.254 1

route inside 192.129.30.0 255.255.255.0 192.168.1.254 1

route inside 0.0.0.0 0.0.0.0 192.168.1.254 tunneled

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server RADIUS protocol radius

aaa-server RADIUS host 192.129.30.6

timeout 5

key zzz

group-policy authentication-server internal

group-policy authentication-server attributes

vpn-idle-timeout 30

group-policy authentication internal

group-policy authentication attributes

vpn-idle-timeout 30

group-policy mpivpn internal

group-policy mpivpn attributes

banner value Welcome to MPIIB-VPN

vpn-idle-timeout 30

default-domain value immunbio.mpg.de

user-authentication enable

client-access-rule none

username admin password xyzxyz encrypted privilege 15

aaa authentication secure-http-client

sysopt noproxyarp inside

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto dynamic-map outside_dyn_map 20 match address testlist

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5

crypto dynamic-map outside_dyn_map 20 set reverse-route

crypto map outside_map 20 match address testlist

crypto map outside_map 20 set transform-set ESP-3DES-MD5 ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

isakmp enable outside

isakmp policy 40 authentication pre-share

isakmp policy 40 encryption 3des

isakmp policy 40 hash md5

isakmp policy 40 group 2

isakmp policy 40 lifetime 86400

isakmp policy 65535 authentication pre-share

isakmp policy 65535 encryption 3des

isakmp policy 65535 hash sha

isakmp policy 65535 group 2

isakmp policy 65535 lifetime 86400

isakmp nat-traversal 20

ssh timeout 5

ssh version 1

console timeout 0

tunnel-group DefaultRAGroup type ipsec-ra

tunnel-group DefaultRAGroup general-attributes

authentication-server-group (outside) RADIUS

tunnel-group mpivpn type ipsec-ra

tunnel-group mpivpn general-attributes

address-pool adpool

authentication-server-group (outside) RADIUS

default-group-policy mpivpn

tunnel-group mpivpn ipsec-attributes

pre-shared-key defcon13

authorization-required

tunnel-group authentication type ipsec-ra

tunnel-group authentication general-attributes

authentication-server-group (outside) RADIUS

default-group-policy authentication

!

: end

Just a word to the wise. Anytime someone makes a request to post your config take some time to sanitize it first by removing sensitive information like public IP addresses and items of this nature. This is a public forum that goes out to at least several thousand people including networking experts that now have detailed knowledge of your PIX config.

Meanwhile we solved the problem: the addresses used in the pool are now from the same network as the IP address of the inside interface. "ip route 0 0 a.b.c.d tunneled" does exactly what we want - route everything from the tunnel to "a.b.c.d" unless there is an explicit route.

By the way: passwords in my config are faked, IP addresses are only temporary.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: