PIX-501 ipsec access-list qustion

keithcroft · ‎04-04-2007

I have a ipsec tunnel from HQ to a Pix 501. The tunnel works perfectly. I'm trying to add connectivity from another subnet in HQ to access the Pix over existing tunnel. Can someone point me to some documentation or list the commands necessary to implement this?

I'm trying to access 192.168.115.0 255.255.255.0 from 192.168.112.0 255.255.255.0

any help greatly appreciated.

Jon Marshall · ‎04-05-2007

Hi

Assuming this is a site to site VPN.

You will neec to modify the crypto maps on both your VPN devices.

You don't say what your HQ device is. On the pix device you need to look at the config.

eg taken from one of our pix devices.

crypto map vpn-set 1 ipsec-isakmp

crypto map vpn-set 1 match address pps_acl

crypto map vpn-set 1 set pfs group2

crypto map vpn-set 1 set peer xxxxxxxx

crypto map vpn-set 1 set transform-set ESP-3DES-SHA

crypto map vpn-set 1 set security-association lifetime seconds 3600 kilobytes 4608000

The key line is

crypto map vpn-set 1 match address pps_acl

There will be an access-list called pps_acl. This is where you define the local and remote subnets. This should all make a bit more sense when you look at your won config.

So in this access-list "pps_acl" you would add your HQ subnet and the remote subnet.

You need to make sure the access-lists match on both VPN devices.

HTH

Jon

keithcroft · ‎04-05-2007

HQ is a Watchguard firewall

Since we already have IPSEC setup from HQ I just added another routing policy on the watchguard device to accept traffic from the PIX 192.168.115.0/24 to 192.168.112.0/24 using the existing tunnel.

On the PIX the configuration originally looked like this:

name 172.16.50.0 hq

access-list inside_outbound_nat0_acl permit ip 192.168.115.0 255.255.255.0 hq 255.255.255.0

access-list inside_outbound_nat0_acl permit ip 192.168.115.0 255.255.255.0 192.168.116.0 255.255.255.0

access-list outside_cryptomap_20 permit ip 192.168.115.0 255.255.255.0 hq 255.255.255.0

access-list outside_cryptomap_60 permit ip 192.168.115.0 255.255.255.0 192.168.116.0 255.255.255.0

I figured out how to add another routing policy using the Pix Device Manager and the policy now looks like this:

name 172.16.50.0 hq

name 192.168.112.0 WB

access-list inside_outbound_nat0_acl permit ip 192.168.115.0 255.255.255.0 hq 255.255.255.0

access-list inside_outbound_nat0_acl permit ip 192.168.115.0 255.255.255.0 192.168.116.0 255.255.255.0

access-list inside_outbound_nat0_acl permit ip 192.168.115.0 255.255.255.0 WB 255.255.255.0

access-list outside_cryptomap_20 permit ip 192.168.115.0 255.255.255.0 hq 255.255.255.0

access-list outside_cryptomap_20 permit ip 192.168.115.0 255.255.255.0 WB 255.255.255.0

access-list outside_cryptomap_60 permit ip 192.168.115.0 255.255.255.0 192.168.116.0 255.255.255.0

Everything seems to work just fine now, but I would have preferred to accomplish this via the command line as I would like to understand the steps required to make this type of change.

Thanks for your assistance.