Showing results for 
Search instead for 
Did you mean: 
Join Customer Connection to register!
jeff slansky

I guess my question is just too difficult for everyone

I am trying to modify my configuration to be more robust and cover some scenarios I have not previously thought about. My device is a cisco pix 525 with ios 8 on it.

I have a basic configuration, the cable box comes into the house and the pix outside interface is plugged into that. The inside interface plugs into a ethernet switch, and the rest of the network plugs into the switch.under this current setup, I have 3 remote access groups. the first one is a full tunnel group, the second is a split tunnel, and the third one is web only traffic for secure browsng when I am not home.

DHCP is setup and all inside hosts can talk to the outside hosts passing full traffic both ways and vice versa, the outside hosts on the full and split tunnel can talk to the inside hosts with full traffic.

The IP layout is as follows: 10.1.1.x is for the inside hosts, 10.1.2 is for full tunnel, 10.1.3 is for split tunnel, is for web only.

Here is my goal with questions:

The goal is to setup a second network(a small lab) which will allow guests etc to connect to my network but not hit anything outside of that subnet, while the inside hosts can still talk to all hosts on the 10.1.5. subnet

  • I can plug a switch into the ethernet2 nic, and have everything on ethernet2 get an ip range of 10.1.5.x?
  • Can I configure a new vpn group that also allows anyone connected to it to only see hosts in 10.1.5.x?
  • Can I set it up so that anything on 10.1.1.x, 10.1.2.x and 10.1.3.x can have access to the hosts in 10.1.5.x but not allow it the other way around?

The outside VPN access is working fine. it leases a 10.1.5.x address to remote hosts connecting in. what I can not seem to get at this point is the second network DHCP part working. The interface is on and turned up. When I plug anything into the NIC card it just sits there trying to get an IP and then ultimately fails.


The config script I ran before this has the following:

configure terminal
interface ethernet0
nameif outside
ip address dhcp setroute
no shutdown

dns domain-lookup inside
dns domain-lookup outside
dns name-server
dns name-server

dhcpd address inside
dhcpd dns interface inside
dhcpd enable inside

global (outside) 101 interface
nat (inside) 101
access-list ThcInside-nat0 extended permit ip
access-list ThcInside-nat0 extended permit ip
nat (inside) 0 access-list ThcInside-nat0

same-security-traffic permit intra-interface

object-group icmp-type ICMPObject
icmp-object echo-reply
icmp-object source-quench
icmp-object time-exceeded
icmp-object unreachable

access-list outside_access_in extended permit icmp any any object-group ICMPObject
access-group outside_access_in in interface outside

http server enable
http inside
logging asdm informational
no asdm history enable

isakmp policy 1 authentication pre-share
isakmp policy 1 encryption aes-256
isakmp policy 1 hash sha
isakmp policy 1 group 2
isakmp policy 1 lifetime 43200
isakmp enable outside
crypto isakmp nat-traversal 30

policy-map global_policy
class inspection_default
inspect icmp
inspect icmp error

username blahblah password blahblah
crypto ipsec transform THCTransformSet esp-aes-256 esp-sha-hmac



My additions to try to get my objective working are as follows:

interface ethernet2
nameif lab
ip address
no shutdown

dns domain-lookup lab

nat (lab) 0 access-list ThcInside-nat0
nat (lab) 101
dhcpd address lab
dhcpd dns interface lab
dhcpd enable lab
http lab

access-list ThcInside-nat0 extended permit ip


nat (outside) 101
ip local pool ThcIPLabOnlyTunnelPool mask
group-policy THCLabOnlyTunnel internal
group-policy THCLabOnlyTunnel attributes
 dns-server value
 wins-server value
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelall
tunnel-group THCLabOnlyTunnel type ipsec-ra
tunnel-group THCLabOnlyTunnel general-attributes
 address-pool ThcIPLAbOnlyTunnelPool
 default-group-policy THCLabOnlyTunnel
 tunnel-group THCLabOnlyTunnel ipsec-attributes
 pre-shared-key blahblah
crypto dynamic-map THCDynamicMap 1 set transform-set THCTransformSet
crypto dynamic-map THCDynamicMap 1 set reverse-route
crypto map THCCryptoMap 1 ipsec-isakmp dynamic THCDynamicMap
crypto map THCCryptoMap interface lab




Not sure no how your would configure it as I've only worked with ASA's and mainly via ASDM!

However I would say set up an new IP pool for your new VPN then configure a NAT exempt statement for this new pool only giving them access to the specific subnet or hosts?

Obviously you have the option to setup with a split tunnel.

Good luck!

jeff slansky

yea, I did what I thought, was all of that and it still will not get an ip address. that was the point of my post.


starting to think its security levol on the interface. they are both set to 100 but I have set the same security permit intra command. maybe the inspection policy isn't letting traffic through?

is there a way to compare configurations for one nic to another nic?


I think you're saying you're having trouble with getting DHCP to work on the lab interface.

Have you tried shrinking your ThcIPLabOnlyTunnelPool and the DHCP address space so they don't overlap? I'm not an expert on PIX DHCP but I doubt the local pool and DHCP database are synching data so that they know not to assign addresses already in use.

Did you run wireshark on a client connected to the lab interface? Debug DHCP on the PIX?