07-22-2015 05:13 AM
I have two sites connected with L2L tunnel using Cisco PIX firewall as below ---
Site A : Local subnet 172.16.0.0/16
Site B : Local subnet 172.16.0.0/16, 192.168.11.0/24, 192.168.12.0, 192.168.13.0
To establish reacahbility of 1 duplicate subnet on both sites, I have done static nat @ both side as below ---
Site A : 172.16.0.0/16 NAT 10.39.0.0/16
Site B : 172.16.0.0/16 NAT 10.38.0.0/16
Now after establishing tunnel and access-list I am able to reach 10.39.0.0/16 from Site A and 10.38.0.0/16 from Site B and vase versa. At the same time I am able to reach Site A (10.39.0.0/16) from Site B (all 4 subnets) but I am not able to reach site B subnets (192.168.11.0/24, 192.168.12.0, 192.168.13.0) from Site A (172.16.0.0/16).
Can you please suggest me required solution. I guess I am missing something at Site A firewall.
Find below Tunnel configuration for your review.
Firewall : A
————————————————————————
object-group network AAA
network-object 192.168.11.0 255.255.255.0
network-object 192.168.12.0 255.255.255.0
network-object 192.168.13.0 255.255.255.0
network-object 10.38.0.0 255.255.0.0
access-list new extended permit ip 10.39.0.0 255.255.0.0 object-group AAA
access-list policy-nat extended permit ip 172.16.0.0 255.255.0.0 10.38.0.0 255.255.0.0
static (inside,outside) 10.39.0.0 access-list policy-nat
crypto ipsec transform-set CISCO esp-des esp-md5-hmac
crypto map outside_map 20 match address new
crypto map outside_map 20 set peer 88.85.x.x
crypto map outside_map 20 set transform-set CISCO
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 65535
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
tunnel-group 88.85.x.x type ipsec-l2l
tunnel-group 88.85.x.x ipsec-attributes
pre-shared-key ****
Firewall : B
————————————————————————
object-group network AAA
network-object 192.168.11.0 255.255.255.0
network-object 192.168.12.0 255.255.255.0
network-object 192.168.13.0 255.255.255.0
network-object 10.38.0.0 255.255.0.0
access-list new extended permit ip object-group AAA 10.39.0.0 255.255.0.0
access-list policy-nat extended permit ip 172.16.0.0 255.255.0.0 10.39.0.0 255.255.0.0
static (inside,outside) 10.38.0.0 access-list policy-nat
crypto ipsec transform-set CISCO esp-des esp-md5-hmac
crypto map outside_map 20 match address new
crypto map outside_map 20 set peer 103.6.x.x
crypto map outside_map 20 set transform-set CISCO
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 65535
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
tunnel-group 103.6.x.x type ipsec-l2l
tunnel-group 103.6.x.x ipsec-attributes
pre-shared-key ****
07-22-2015 05:54 AM
From your config it looks like you are not doing nat when trying to reach 192.168.11,12 and 13.0, so firewall b will receive a packet from a thought the vpn with 172.16.x.x as source, which is local to the b firewall as well, in which case the return packet won't be sent through the vpn tunnel. All traffic from firewall a to b will need to be nat'ed to something not known locally in firewall b
07-22-2015 08:42 PM
Thanks Jan for your input.
But please note that only one subnet is duplicate (after NAT it is reachable) and other 3 subnets are unique in both sides. So I hope NAT for those subnets are not required.
One more input here is the firewall @ Site B is directly connected on 172.16.0.0/16 subnet where as other subnets are connected with MPLS router which is again connected to WAN port of firewall.
So as per my understanding traffic for 3 subnets are coming IN on WAN port and also going OUT with same port.
We are trying to put one switch and connecting 2 different physical ports of firewall and diverting traffic of unreachable subnets on ETH3 of firewall.
Please suggest if you find anything missing/wrong in config.
07-23-2015 02:06 AM
can you post the route table of both firewalls, would make this a lot easier. Also you say 3 other subnets are unique on both sides, but in your first post, you say there is only 172.16.0.0/16 on site A ?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide