Re: vpngroups to access different network segments

ewong0088 · ‎07-16-2005

Hi there,

I have a PIX515E with 6.3(4) and a vpngroup running on it. This vpngroup is allowed to connect to one of our internal networks only and has been runing great. Now, I need to create another vpngroup so that this second group not only can connect to the same network as group one, but in addition, this group2 needs to be able to connect to additional networks. I just don't know how to handle the nat 0 statement for the second group. (all authentications are thru radius, not included).

Here's my set up(some irrelevant info excluded):

//Access List 1

access-list vpnnonat permit ip 192.168.150.0 255.255.255.0 192.168.140.0 255.255.255.0

ip local pool vpool 192.168.140.1-192.168.140.254

ip local pool vpool-two 192.168.130.1-192.168.130.254

//Access List 2

access-list vnonat2 permit ip 192.168.150.0 255.255.255.0 192.168.130.0 255.255.255.0

access-list vnonat2 permit ip 192.168.160.0 255.255.255.0 192.168.130.0 255.255.255.0

access-list vnonat2 permit ip 192.168.170.0 255.255.255.0 192.168.130.0 255.255.255.0

access-list vnonat2 permit ip 192.168.180.0 255.255.255.0 192.168.130.0 255.255.255.0

access-list vnonat2 permit ip 192.168.190.0 255.255.255.0 192.168.130.0 255.255.255.0

nat (inside) 0 access-list vpnnonat

sysopt connection permit-ipsec

isakmp nat-traversal 20

//IPSec group 1 configuration for VPN client

vpngroup vpn-one address-pool vpool

vpngroup vpn-one dns-server x.x.x.x

vpngroup vpn-one default-domain xxx.com

vpngroup vpn-one split-tunnel vpnnonat

vpngroup vpn-one idle-time 1800

vpngroup vpn-one password xxxxxxx

//IPSEC group 2

vpngroup vpn-two address-pool vpool-two

vpngroup vpn-two dns-server x.x.x.x

vpngroup vpn-two default-domain xxx.com

vpngroup vpn-two split-tunnel vnonat2

vpngroup vpn-two idle-time 1800

vpngroup vpn-two password xxxxxxx

The problem I am having is that I can’t do nat(inside) 0 access-list TWICE.

The working config uses: nat (inside) 0 access-list vpnnonat for Group 1

How about group 2? When i let it go as is for testing, i.e. with one NAT 0 statement, it allows me to connect and got a correct IP which was 192.168.130.1. Beyond that I seem to stuck. After a few connections, my VPN clients would not connect anymore. It just died. (log said no response from peer). After an hour or so, I can connect again. Sounded like PIX is confused as who is going where and clear itslef out after awhile.

Any help or pointer is greatly appreciated. Again,

all I want to do is to allow 2 different VPN groups to access to our network. Group 1 is limited to 192.168.150 network and Group 2 can connect to 150, 160,170,180 networks

jackko · ‎07-18-2005

add the following to the existing access-l vpnnonat:

access-list vpnnonat permit ip 192.168.150.0 255.255.255.0 192.168.130.0 255.255.255.0

access-list vpnnonat permit ip 192.168.160.0 255.255.255.0 192.168.130.0 255.255.255.0

access-list vpnnonat permit ip 192.168.170.0 255.255.255.0 192.168.130.0 255.255.255.0

access-list vpnnonat permit ip 192.168.180.0 255.255.255.0 192.168.130.0 255.255.255.0

access-list vpnnonat permit ip 192.168.190.0 255.255.255.0 192.168.130.0 255.255.255.0

jackko · ‎07-20-2005

i was just wondering how you go with the issue.

jsteffensen · ‎07-21-2005

Hi

We are using one Global NONAT access-list wich permit all internal ip to the vpn client pool addresses.

To Control the VPN Users access, we are using different spilt tunnel access-list for the different VPN groups.

We even use the same IP Pool for all vpn groups.... Bit this is not mandatory at all (This is even not always useful, if you use access-list on routers behind your pix, as extra security)

An example config could look like this:

access-list NONAT permit ip any 172.28.254.0 255.255.255.0

ip local pool VPN-CISCO 172.18.254.1-172.18.254.254

vpngroup VPNUSERS1 address-pool VPN-CISCO

vpngroup VPNUSERS1 dns-server 192.168.1.10

vpngroup VPNUSERS1 wins-server 192.168.1.20

vpngroup VPNUSERS1 default-domain corp.local

vpngroup VPNUSERS1 split-tunnel VPN-VPNUSERS1

vpngroup VPNUSERS1 split-dns corp.local

vpngroup VPNUSERS1 idle-time 1800

vpngroup VPNUSERS1 authentication-server RADIUS

vpngroup VPNUSERS1 password ***********

vpngroup VPNUSERS2 address-pool VPN-CISCO

vpngroup VPNUSERS2 default-domain corp.local

vpngroup VPNUSERS2 split-tunnel VPN-VPNUSERS2

vpngroup VPNUSERS2 idle-time 1800

vpngroup VPNUSERS2 authentication-server RADIUS

vpngroup VPNUSERS2 password ***********

access-list VPN-VPNUSERS1 remark ### VPN-Client-Traffic Users 1 ###############################

access-list VPN-VPNUSERS1 permit ip 192.168.0.0 255.255.0.0 172.18.254.0 255.255.255.0

access-list VPN-VPNUSERS2 remark ### VPN-Client-Traffic Users 2 ###############################

access-list VPN-VPNUSERS2 permit ip host 192.168.1.10 172.18.254.0 255.255.255.0

access-list VPN-VPNUSERS2 permit ip host 192.168.1.20 172.18.254.0 255.255.255.0

We are always placing the ip local pool for the VPN Clients in a separate subnet.

Hope This helps you

Best Regards

Jarle Steffensen

ewong0088 · ‎07-21-2005

Thank you for the info. It seems your example is what I need.

Again, thank you.

ewong0088 · ‎07-21-2005

Jackko,

I went with your suggestion and it works but not ideal in our situation. I need finer control so it seems Jarle's comments are more suitable to my environment.

Thank you again.

jackko · ‎07-25-2005

it's good to hear that you've got the right info.

please let me give you one more advice. in the near furture you may need a separate group simply for security reason. e.g. group 1 has access to server 1 whereas group 2 has access to server 2 only.

in fact, you may restrict the remote vpn access further by disabling the command "sysopt connection permit-ipsec". nonetheless, for now keep it simple.