I am trying to modify my configuration to be more robust and cover some scenarios I have not previously thought about. My device is a cisco pix 525 with ios 8 on it.
I have a basic configuration, the cable box comes into the house and the pix outside interface is plugged into that. The inside interface plugs into a ethernet switch, and the rest of the network plugs into the switch.under this current setup, I have 3 remote access groups. the first one is a full tunnel group, the second is a split tunnel, and the third one is web only traffic for secure browsng when I am not home.
DHCP is setup and all inside hosts can talk to the outside hosts passing full traffic both ways and vice versa, the outside hosts on the full and split tunnel can talk to the inside hosts with full traffic.
The IP layout is as follows: 10.1.1.x is for the inside hosts, 10.1.2 is for full tunnel, 10.1.3 is for split tunnel, 10.1.1.4 is for web only.
Here is my goal with questions:
The goal is to setup a second network(a small lab) which will allow guests etc to connect to my network but not hit anything outside of that subnet, while the inside hosts can still talk to all hosts on the 10.1.5. subnet
The outside VPN access is working fine. it leases a 10.1.5.x address to remote hosts connecting in. what I can not seem to get at this point is the second network DHCP part working. The interface is on and turned up. When I plug anything into the NIC card it just sits there trying to get an IP and then ultimately fails.
The config script I ran before this has the following:
ip address dhcp setroute
dns domain-lookup inside
dns domain-lookup outside
dns name-server 18.104.22.168
dns name-server 22.214.171.124
dhcpd address 10.1.1.50-10.1.1.254 inside
dhcpd dns 126.96.36.199 188.8.131.52 interface inside
dhcpd enable inside
global (outside) 101 interface
nat (inside) 101 10.0.0.0 255.0.0.0
access-list ThcInside-nat0 extended permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0
access-list ThcInside-nat0 extended permit ip 10.1.1.0 255.255.255.0 10.1.3.0 255.255.255.0
nat (inside) 0 access-list ThcInside-nat0
same-security-traffic permit intra-interface
object-group icmp-type ICMPObject
access-list outside_access_in extended permit icmp any any object-group ICMPObject
access-group outside_access_in in interface outside
http server enable
http 10.0.0.0 255.0.0.0 inside
logging asdm informational
no asdm history enable
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption aes-256
isakmp policy 1 hash sha
isakmp policy 1 group 2
isakmp policy 1 lifetime 43200
isakmp enable outside
crypto isakmp nat-traversal 30
inspect icmp error
username blahblah password blahblah
crypto ipsec transform THCTransformSet esp-aes-256 esp-sha-hmac
My additions to try to get my objective working are as follows:
ip address 10.1.5.1 255.255.255.0
dns domain-lookup lab
nat (lab) 0 access-list ThcInside-nat0
nat (lab) 101 10.0.0.0 255.0.0.0
dhcpd address 10.1.5.2-10.1.5.254 lab
dhcpd dns 184.108.40.206 10.1.1.1 interface lab
dhcpd enable lab
http 10.0.0.0 255.0.0.0 lab
access-list ThcInside-nat0 extended permit ip 10.1.1.0 255.255.255.0 10.1.5.0 255.255.255.0
nat (outside) 101 10.1.5.0 255.255.255.0
ip local pool ThcIPLabOnlyTunnelPool 10.1.5.1-10.1.5.254 mask 255.255.255.0
group-policy THCLabOnlyTunnel internal
group-policy THCLabOnlyTunnel attributes
dns-server value 220.127.116.11 18.104.22.168
wins-server value 10.1.1.3
tunnel-group THCLabOnlyTunnel type ipsec-ra
tunnel-group THCLabOnlyTunnel general-attributes
tunnel-group THCLabOnlyTunnel ipsec-attributes
crypto dynamic-map THCDynamicMap 1 set transform-set THCTransformSet
crypto dynamic-map THCDynamicMap 1 set reverse-route
crypto map THCCryptoMap 1 ipsec-isakmp dynamic THCDynamicMap
crypto map THCCryptoMap interface lab
Not sure no how your would configure it as I've only worked with ASA's and mainly via ASDM!
However I would say set up an new IP pool for your new VPN then configure a NAT exempt statement for this new pool only giving them access to the specific subnet or hosts?
Obviously you have the option to setup with a split tunnel.
yea, I did what I thought, was all of that and it still will not get an ip address. that was the point of my post.
starting to think its security levol on the interface. they are both set to 100 but I have set the same security permit intra command. maybe the inspection policy isn't letting traffic through?
is there a way to compare configurations for one nic to another nic?
I think you're saying you're having trouble with getting DHCP to work on the lab interface.
Have you tried shrinking your ThcIPLabOnlyTunnelPool and the DHCP address space so they don't overlap? I'm not an expert on PIX DHCP but I doubt the local pool and DHCP database are synching data so that they know not to assign addresses already in use.
Did you run wireshark on a client connected to the lab interface? Debug DHCP on the PIX?