09-17-2004 04:08 AM
I have a client who wishes to set up three VPN groups on the PIX and give different access rights to each group. (ie. Group 1 can access server A only, group 2 can access server B only and group 3 can access all resources).
In testing, we have created the tunnels using the VPN wizard in PDM and all works fine when we have a single tunnel with unrestricted access. However as soon as we try to add more vpngroups and add the access restrictions, the whole thing grinds to a halt. IKE mode initialises but the VPN client times out and no IPSEC tunnel is created.
Can anyone suggest possible causes and workarounds?
09-19-2004 05:50 PM
I would not use PDM, but rather the pix cli to accomplish what you want.
Try this:
1. turn off the sysopt permit-ipsec by running this command: no sysopt permit-ipsec
2. create three local ip pools on the pix. For example:
ip local pool Group1Pool 192.168.1.1-192.168.1.254
ip local pool Group2Pool 192.168.2.1-192.168.2.254
ip local pool Group3Pool 192.168.3.1-192.168.3-254
3. Then on the pix interface that will terminate the vpn client connections code these acl entries
access-list intf_outside_acl permit ip 192.168.1.0 255.255.255.0 host serverA
access-list intf_outside_acl permit ip 192.168.2.0 255.255.255.0 host serverB
access-list intf_outside_acl permit ip 192.168.3.0 255.255.255.0 10.0.0.0 255.0.0.0
This assumes that your private network is 10/8, and that acl intf_outside_acl is an existing acl that is already applied to the outside interface and that your IPSec clients will terminate on that interface.
The key is to remove the permit-ipsec sysopt command as you want the pix to not allow ipsec traffic to traverse anywhere, instead the interface acl will be applied, and the source ip is what the pix will assign the vpn client depending upon which group they are in. Each vpn group will use only one of the 3 local pools defined above.
Let me know if this helps.
09-19-2004 11:11 PM
Thanks for the advice. However, all of this is already in place. It is at tunnel creation that the config is failing, not at the access-lists.
09-21-2004 08:47 AM
Please post the relevant pix config here, and also let me know how the clients are configured. I.E., are the clients using transparent tunneling? Also, run the debug crypto isakmp and debug crypto ipsec commands on the firewall, attempt a connection from the client, and post the debug log messages.
I'll look at them and tell you what I find.
11-30-2004 04:05 PM
As things happened, I did not get a chance to return to that site and so the matter was resolved by another engineer. I therefore don't have the config, Sorry.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide