07-16-2005 08:37 AM - edited 02-21-2020 12:16 AM
Hi there,
I have a PIX515E with 6.3(4) and a vpngroup running on it. This vpngroup is allowed to connect to one of our internal networks only and has been runing great. Now, I need to create another vpngroup so that this second group not only can connect to the same network as group one, but in addition, this group2 needs to be able to connect to additional networks. I just don't know how to handle the nat 0 statement for the second group. (all authentications are thru radius, not included).
Here's my set up(some irrelevant info excluded):
//Access List 1
access-list vpnnonat permit ip 192.168.150.0 255.255.255.0 192.168.140.0 255.255.255.0
ip local pool vpool 192.168.140.1-192.168.140.254
ip local pool vpool-two 192.168.130.1-192.168.130.254
//Access List 2
access-list vnonat2 permit ip 192.168.150.0 255.255.255.0 192.168.130.0 255.255.255.0
access-list vnonat2 permit ip 192.168.160.0 255.255.255.0 192.168.130.0 255.255.255.0
access-list vnonat2 permit ip 192.168.170.0 255.255.255.0 192.168.130.0 255.255.255.0
access-list vnonat2 permit ip 192.168.180.0 255.255.255.0 192.168.130.0 255.255.255.0
access-list vnonat2 permit ip 192.168.190.0 255.255.255.0 192.168.130.0 255.255.255.0
nat (inside) 0 access-list vpnnonat
sysopt connection permit-ipsec
isakmp nat-traversal 20
//IPSec group 1 configuration for VPN client
vpngroup vpn-one address-pool vpool
vpngroup vpn-one dns-server x.x.x.x
vpngroup vpn-one default-domain xxx.com
vpngroup vpn-one split-tunnel vpnnonat
vpngroup vpn-one idle-time 1800
vpngroup vpn-one password xxxxxxx
//IPSEC group 2
vpngroup vpn-two address-pool vpool-two
vpngroup vpn-two dns-server x.x.x.x
vpngroup vpn-two default-domain xxx.com
vpngroup vpn-two split-tunnel vnonat2
vpngroup vpn-two idle-time 1800
vpngroup vpn-two password xxxxxxx
The problem I am having is that I cant do nat(inside) 0 access-list TWICE.
The working config uses: nat (inside) 0 access-list vpnnonat for Group 1
How about group 2? When i let it go as is for testing, i.e. with one NAT 0 statement, it allows me to connect and got a correct IP which was 192.168.130.1. Beyond that I seem to stuck. After a few connections, my VPN clients would not connect anymore. It just died. (log said no response from peer). After an hour or so, I can connect again. Sounded like PIX is confused as who is going where and clear itslef out after awhile.
Any help or pointer is greatly appreciated. Again,
all I want to do is to allow 2 different VPN groups to access to our network. Group 1 is limited to 192.168.150 network and Group 2 can connect to 150, 160,170,180 networks
07-18-2005 05:03 PM
add the following to the existing access-l vpnnonat:
access-list vpnnonat permit ip 192.168.150.0 255.255.255.0 192.168.130.0 255.255.255.0
access-list vpnnonat permit ip 192.168.160.0 255.255.255.0 192.168.130.0 255.255.255.0
access-list vpnnonat permit ip 192.168.170.0 255.255.255.0 192.168.130.0 255.255.255.0
access-list vpnnonat permit ip 192.168.180.0 255.255.255.0 192.168.130.0 255.255.255.0
access-list vpnnonat permit ip 192.168.190.0 255.255.255.0 192.168.130.0 255.255.255.0
07-20-2005 09:25 PM
i was just wondering how you go with the issue.
07-21-2005 12:23 AM
Hi
We are using one Global NONAT access-list wich permit all internal ip to the vpn client pool addresses.
To Control the VPN Users access, we are using different spilt tunnel access-list for the different VPN groups.
We even use the same IP Pool for all vpn groups.... Bit this is not mandatory at all (This is even not always useful, if you use access-list on routers behind your pix, as extra security)
An example config could look like this:
access-list NONAT permit ip any 172.28.254.0 255.255.255.0
ip local pool VPN-CISCO 172.18.254.1-172.18.254.254
vpngroup VPNUSERS1 address-pool VPN-CISCO
vpngroup VPNUSERS1 dns-server 192.168.1.10
vpngroup VPNUSERS1 wins-server 192.168.1.20
vpngroup VPNUSERS1 default-domain corp.local
vpngroup VPNUSERS1 split-tunnel VPN-VPNUSERS1
vpngroup VPNUSERS1 split-dns corp.local
vpngroup VPNUSERS1 idle-time 1800
vpngroup VPNUSERS1 authentication-server RADIUS
vpngroup VPNUSERS1 password ***********
vpngroup VPNUSERS2 address-pool VPN-CISCO
vpngroup VPNUSERS2 default-domain corp.local
vpngroup VPNUSERS2 split-tunnel VPN-VPNUSERS2
vpngroup VPNUSERS2 idle-time 1800
vpngroup VPNUSERS2 authentication-server RADIUS
vpngroup VPNUSERS2 password ***********
access-list VPN-VPNUSERS1 remark ### VPN-Client-Traffic Users 1 ###############################
access-list VPN-VPNUSERS1 permit ip 192.168.0.0 255.255.0.0 172.18.254.0 255.255.255.0
access-list VPN-VPNUSERS2 remark ### VPN-Client-Traffic Users 2 ###############################
access-list VPN-VPNUSERS2 permit ip host 192.168.1.10 172.18.254.0 255.255.255.0
access-list VPN-VPNUSERS2 permit ip host 192.168.1.20 172.18.254.0 255.255.255.0
We are always placing the ip local pool for the VPN Clients in a separate subnet.
Hope This helps you
Best Regards
Jarle Steffensen
07-21-2005 03:23 AM
Thank you for the info. It seems your example is what I need.
Again, thank you.
07-21-2005 03:31 AM
Jackko,
I went with your suggestion and it works but not ideal in our situation. I need finer control so it seems Jarle's comments are more suitable to my environment.
Thank you again.
07-25-2005 08:34 PM
it's good to hear that you've got the right info.
please let me give you one more advice. in the near furture you may need a separate group simply for security reason. e.g. group 1 has access to server 1 whereas group 2 has access to server 2 only.
in fact, you may restrict the remote vpn access further by disabling the command "sysopt connection permit-ipsec". nonetheless, for now keep it simple.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide