08-30-2005 03:35 AM - edited 02-21-2020 12:21 AM
Pix 515 V7.0.2: Road-warriors create VPN connections through the "outside" interface. Now I would like to have ALL traffic arriving via the tunnel directed to the inside interface. As "road-warrior" as no fixed IP address I have a default route to the outside interface. In addition I have static routes towards the inside interface into our LAN. So things are working as expeted as long as road-warrios connect to host in our LAN. But as soon as they try to connect to the Internet this doesn't work. I assume the Pix directs the packets back to "outside" because of the default route. Instead they should go through "inside". Is there a way to achieve what I want? I tried a default route to "inside" with the "tunneled" statement with no luck.
Regards,
Christoph Gartmann
08-30-2005 10:22 AM
Sounds like the classic problem of pixen not allowing traffic to leave the same interface it came in on. VPN user's internet traffic wants to enter and leave the outside interface. 7.0 changed this -
same-security-traffic permit intra-interface
Is a new command that tells the PIX to allow traffic to leave the same int it came in on.
CHeck out pix 1 in that config - It is the config for both end user vpns, and hub and spoke vpns. You should be able to get a feel from it for how you can allow vpn users to have internet access
08-30-2005 01:44 PM
No, this is not the case. VPN connections arrive on the outside interface. All I want is this: the packets from the VPN tunnel should all go through the inside interface (once they have been decrypted).
I tried a default route to "outside" and a default route "tunneled" to inside but this doesn't work.
It looks as if I need policy routing, e.g. route all packets with a source address of the VPN address pool towards inside. In fact, interface inside is part of a VLAN and I would like to put the traffic arriving through VPN into this VLAN, even the traffic that is directed toward the Internet. This VLAN has its own connection to the internet which is not via this "VPN pix" in question.
The V7.0 docs claim that it is somehow possible but I couldn't find an example.
Regards,
Christoph Gartmann
09-01-2005 07:25 PM
Hi,
Would you please post the configuration?
09-07-2005 03:59 AM
PIX Version 7.0(2)
names
!
interface Ethernet0
nameif outside
security-level 0
ip address 195.37.33.1 255.255.255.0
!
interface Ethernet1
nameif inside
security-level 100
ip address 192.168.1.38 255.255.255.0
!
access-list aclinside extended permit ip any host 10.1.5.79
access-list testlist extended permit ip any any
ip local pool adpool 10.1.5.79 mask 255.255.0.0
no asdm history enable
arp timeout 1800
nat-control
nat (inside) 0 access-list aclinside
route outside 0.0.0.0 0.0.0.0 195.37.33.254 1
route inside 192.129.30.0 255.255.255.0 192.168.1.254 1
route inside 0.0.0.0 0.0.0.0 192.168.1.254 tunneled
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server RADIUS protocol radius
aaa-server RADIUS host 192.129.30.6
timeout 5
key zzz
group-policy authentication-server internal
group-policy authentication-server attributes
vpn-idle-timeout 30
group-policy authentication internal
group-policy authentication attributes
vpn-idle-timeout 30
group-policy mpivpn internal
group-policy mpivpn attributes
banner value Welcome to MPIIB-VPN
vpn-idle-timeout 30
default-domain value immunbio.mpg.de
user-authentication enable
client-access-rule none
username admin password xyzxyz encrypted privilege 15
aaa authentication secure-http-client
sysopt noproxyarp inside
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address testlist
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 20 set reverse-route
crypto map outside_map 20 match address testlist
crypto map outside_map 20 set transform-set ESP-3DES-MD5 ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 40 authentication pre-share
isakmp policy 40 encryption 3des
isakmp policy 40 hash md5
isakmp policy 40 group 2
isakmp policy 40 lifetime 86400
isakmp policy 65535 authentication pre-share
isakmp policy 65535 encryption 3des
isakmp policy 65535 hash sha
isakmp policy 65535 group 2
isakmp policy 65535 lifetime 86400
isakmp nat-traversal 20
ssh timeout 5
ssh version 1
console timeout 0
tunnel-group DefaultRAGroup type ipsec-ra
tunnel-group DefaultRAGroup general-attributes
authentication-server-group (outside) RADIUS
tunnel-group mpivpn type ipsec-ra
tunnel-group mpivpn general-attributes
address-pool adpool
authentication-server-group (outside) RADIUS
default-group-policy mpivpn
tunnel-group mpivpn ipsec-attributes
pre-shared-key defcon13
authorization-required
tunnel-group authentication type ipsec-ra
tunnel-group authentication general-attributes
authentication-server-group (outside) RADIUS
default-group-policy authentication
!
: end
09-07-2005 04:42 AM
Just a word to the wise. Anytime someone makes a request to post your config take some time to sanitize it first by removing sensitive information like public IP addresses and items of this nature. This is a public forum that goes out to at least several thousand people including networking experts that now have detailed knowledge of your PIX config.
09-09-2005 07:29 AM
Meanwhile we solved the problem: the addresses used in the pool are now from the same network as the IP address of the inside interface. "ip route 0 0 a.b.c.d tunneled" does exactly what we want - route everything from the tunnel to "a.b.c.d" unless there is an explicit route.
By the way: passwords in my config are faked, IP addresses are only temporary.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: