Routing to multiple networks over ipsec tunnel with pix 501 - Cisco Community

1142

Views

4

Helpful

5

Replies

Hi,

I have a cisco pix 501 with a vpn setup between networks 192.168.210.0 (local) and 192.168.200.0 (remote). This works fine. But more networks than 192.168.200.0 exist on the remote end, there are also 10.10.10.0 192.168.33.0 and 172.16.20.0. Is it possible to set up routing so that I can route to these other subnets with just one VPN tunnel? Here is the important vpn stuff in my pix config:

access-list inside_access_in permit icmp any any

access-list inside_access_in permit ip any any

access-list outside_access_in permit icmp any any

access-list nonat permit ip 192.168.210.0 255.255.255.0 192.168.200.0 255.255.254.0

access-list ipsec_traffic permit ip 192.168.210.0 255.255.255.0 192.168.200.0 255.255.254.0

sysopt connection permit-ipsec

crypto ipsec transform-set humphrey esp-aes esp-md5-hmac

crypto map cmHumphrey 10 ipsec-isakmp

crypto map cmHumphrey 10 match address ipsec_traffic

crypto map cmHumphrey 10 set peer x.x.x.x

crypto map cmHumphrey 10 set transform-set humphrey

crypto map cmHumphrey interface outside

isakmp enable outside

isakmp key ******** address x.x.x.x netmask 255.255.255.255 no-xauth

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption aes

isakmp policy 10 hash md5

isakmp policy 10 group 1

isakmp policy 10 lifetime 86400

Is there a way to set up a tunnel interface like on an ios router vpn? This makes routing very simple. I will post a network diagram to show what I mean.

thanks!

15 KB

5 Replies 5

PIX 6.3x what is highest available for PIX 501 doest support GRE or tunnel interfaces so dynamic routing is NOT possible

But i think you can add those network to VPN tunnel

1. exclude from NAT

access-list nonat permit ip 192.168.210.0 255.255.255.0 10.10.10.0 255.255.255.0

access-list nonat permit ip 192.168.210.0 255.255.255.0 172.16.20.0 255.255.255.0

access-list nonat permit ip 192.168.210.0 255.255.255.0 192.168.33.0 255.255.255.0

2. Add to VPN ACL

access-list ipsec_traffic permit ip 192.168.210.0 255.255.255.0 10.10.10.0 255.255.255.0

access-list ipsec_traffic permit ip 192.168.210.0 255.255.255.0 172.16.20.0 255.255.255.0

access-list ipsec_traffic permit ip 192.168.210.0 255.255.255.0 192.168.33.0 255.255.255.0

the SAME must be done on 3660 (VPN ACL are mirrored)

You need also route those IPs to Internet

let we say x.x.x.x is you internet gateway (but its probably part of PIX default route)

route outside 10.10.10.0 255.255.255.0 x.x.x.x

route outside 172.16.20.0 255.255.255.0 x.x.x.x

route outside 192.168.33.0 255.255.255.0 x.x.x.x

M.

Hope that helps rate if it does

Yes, it is possible route to these other subnets with just one VPN tunnel. On the Pix 501, your IPSEC Access-List and NONAT Access-List should be:

access-list ipsec_traffic permit ip 192.168.210.0 255.255.255.0 192.168.200.0 255.255.254.0

access-list ipsec_traffic permit ip 192.168.210.0 255.255.255.0 10.10.10.0 255.255.255.0

access-list ipsec_traffic permit ip 192.168.210.0 255.255.255.0 192.168.33.0 255.255.255.0

access-list ipsec_traffic permit ip 192.168.210.0 255.255.255.0 172.16.20.0 255.255.255.0

access-list nonat permit ip 192.168.210.0 255.255.255.0 192.168.200.0 255.255.254.0

access-list nonat permit ip 192.168.210.0 255.255.255.0 10.10.10.0 255.255.255.0

access-list nonat permit ip 192.168.210.0 255.255.255.0 192.168.33.0 255.255.255.0

access-list nonat permit ip 192.168.210.0 255.255.255.0 172.16.20.0 255.255.255.0

And make sure that you on the remote side (3600), the Access-Lists are mirror images.

For example, adding the new networks to the existing one:

access-list 150 permit ip 10.10.10.0 0.0.0.255 192.168.210.0 0.0.0.255

access-list 150 permit ip 192.168.33.0 0.0.0.255 192.168.210.0 0.0.0.255

access-list 150 permit ip 172.16.20.0 0.0.0.255 192.168.210.0 0.0.0.255

Also, if the 3600 is configured for NAT, make sure that you bypass NAT for the VPN Traffic.

BTW, Pix does not support Tunnel Interface.

I hope it helps.

Regards,

Arul

** Please rate all helpful Posts **

Thanks guys,

I had tried this before with no luck. It seems as though it should work...maybe I configured it wrong. I'll try it again. Would I need to add a corresponding:

pdm location 192.168.200.0 255.255.254.0 outside

line for the other networks? I seem to have needed this for the vpn to work. Another concern I have is that I think this would work no problem if the VPN on the remote end was set up the same way as the pix. But it is set up as a tunnel interface on the 3600 router. It seems like maybe this is hosing me. Thanks though, I'll try again.

You dont need pdm location command for VPN (its only network topology discovery by associating an external network object with an interface)

You need same config on 3660 like on PIX - IPSEC VPN...

Its not possible to have tunnel interface on one side and IPsec on other...

M.

Thanks,

I'll have to change it then? Here is what I get now on the pix with sh crypto ipsec sa:

interface: outside

Crypto map tag: outside_map, local addr. x.x.x.x

local ident (addr/mask/prot/port): (172.16.20.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (192.168.0.0/255.255.0.0/0/0)

current_peer: x.x.x.x:500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 865, #pkts encrypt: 865, #pkts digest 865

#pkts decaps: 612, #pkts decrypt: 612, #pkts verify 612

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: x.x.x.x, remote crypto endpt.: x.x.x.x

path mtu 1500, ipsec overhead 72, media mtu 1500

current outbound spi: cf6e850e

inbound esp sas:

spi: 0x706bd01a(1886113818)

transform: esp-aes esp-md5-hmac ,

in use settings ={Tunnel, }

slot: 0, conn id: 4, crypto map: outside_map

sa timing: remaining key lifetime (k/sec): (4607939/1099)

IV size: 16 bytes

replay detection support: Y

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0xcf6e850e(3480126734)

transform: esp-aes esp-md5-hmac ,

in use settings ={Tunnel, }

slot: 0, conn id: 3, crypto map: outside_map

sa timing: remaining key lifetime (k/sec): (4607977/1099)

IV size: 16 bytes

replay detection support: Y

outbound ah sas:

outbound pcp sas:

local ident (addr/mask/prot/port): (172.16.20.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (10.10.0.0/255.255.0.0/0/0)

current_peer: x.x.x.x:0

PERMIT, flags={origin_is_acl,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0

#send errors 103, #recv errors 0

local crypto endpt.: x.x.x.x, remote crypto endpt.: x.x.x.x

path mtu 1500, ipsec overhead 0, media mtu 1500

current outbound spi: 0

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

So it is definately trying to protect the right traffic...it just isn't successful in creating an sa.

oops, I just realized it was a different pix that I was trying to get to work. That is why the subnets look different from my first post. This is what I got on the other one as well, when trying to add another subnet to the VPN. This particular pix is actually connection to a smoothwall firewall. The VPN works great but only with one subnet. Is there a way to set up this multiple routing with a smoothwall, since you can't set it up with a crypto map.

Learn, share, save

Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.

New here? Get started with these tips. How to use Community New member guide

Log in to Community