Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
824
Views
0
Helpful
4
Replies

Additional interface access through VPN tunnel

k.nebroski
Community Member

‎12-30-2004 10:51 AM - edited ‎02-21-2020 01:31 PM

Hi,

I have a PIX 515e running 6.3(3). I have a couple tunnels that terminate on Int4 and they access devices on that segment (10.82.1.0/24). I would like the remote sites to be able to access 2 devices that are on my inside interface (192.168.1.7,8) and a couple (or all) of the devices on the inside interface to access the remote devices through the VPN tunnel.

Is that possible or do I have to set up my VPN termination differently?

Thanks

Labels:
0 Helpful
4 Replies 4

Patrick Iseli
Level 11
Level 11

‎12-31-2004 10:48 AM

Yes this is possible but you need to modify the VPN and NONAT access-list, the ACL names are probably diffrent but it is the same concept.

Check that the routing is fonctioning correctly especially if the inside host does not have the PIX as default gateway. In worst case a manually a default route on the two server that you want to connect from the VPN Peer side.

example:

PIX(config)# access-list NONAT permit ip 192.0.0.0 255.0.0.0 Externalnet ESubnet

PIX(config)# access-list NONAT permit ip 10.82.1.0 255.255.255.0 Externalnet ESubnet

PIX(config)# nat (inside) 0 access-list NONAT

PIX(config)# access-list VPN permit ip 192.0.0.0 255.0.0.0 Externalnet ESubnet

PIX(config)# access-list VPN permit ip 10.82.1.0 255.255.255.0 Externalnet ESubnet

PIX(config)# crypto map REMOTEVPN 10 match address VPN

See also:

http://www.cisco.com/pcgi-bin/Support/browse/psp_view.pl?p=Hardware:PIX&s=Software_Configuration

sincerely

Patrick

0 Helpful

k.nebroski
Community Member

‎12-31-2004 12:08 PM

Thanks for your reply Patrick.

I think I have everything covered but may be missing something, I'm also very new to this stuff.

I have a couple remote offices that will tunnel into our inside segment, this works well. I have a couple clients that tunnel into int4, this works well too. currently I have these acl:

access-list vpn1 permit ip myinside remotesite1

access-list vpn1 permit ip myinside remotesite2

access-list vpn2 permit ip myint4 custsite1

access-list vpn2 permit ip myint4 custsite2

etc,

nat (inside) 0 access-list vpn1

nat (int4) 0 access-list vpn2

crypto map rmap 10 match address vpn1

crypto map rmap 20 match address vpn2

Because I'm using two end points for the tunnels (inside & int4) I figured I needed 2 nat statements and access-lists.

Do I just add the additional entry to the other access-lists?

Have I made this more complicated then it need be?

Thanks again.

0 Helpful

Patrick Iseli
Level 11
Level 11
In response to k.nebroski

‎01-01-2005 11:25 AM

No, that is ok.

Because 2 endpoint = 2 NONATs !!

sincerely

Patrick

0 Helpful

k.nebroski
Community Member
In response to Patrick Iseli

‎01-02-2005 10:52 PM

So if I add the IP segment from one end point to the access-list of the other end-point and vise-versa then traffic generated on my inside interface will go through the tunnel that is connected through my interface 4 tunnel?

I will check my notes but I thought that I tried that with no success!

Thanks

0 Helpful
Customers Also Viewed These Support Documents