03-18-2007 10:19 PM
Current:
Scenario is remote office to main office. Site to site IPSEC tunnel from remote (netscreen) to main (pix 506e). Users use Cisco VPN Client to access main office remotely.
This is all working perfectly.
Problem:
Now we want remote users who connect to the main office to also be able to access resources in the remote office.
This seems like it would be easy to implement but I cannot figure it out.
Thanks in advance.
Rollo
----------
#10.10.10.0 = network1
#10.10.11.0 = network2
#172.16.1.0 = vpn pool
PIX Version 6.3(4)
access-list 101 permit ip 10.10.10.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list 101 permit ip 10.10.10.0 255.255.255.0 10.10.11.0 255.255.255.0
access-list splitTunnel permit ip 10.10.10.0 255.255.255.0 any
access-list splitTunnel permit ip 10.10.11.0 255.255.255.0 any
access-list 115 permit ip any 172.16.1.0 255.255.255.0
access-list 116 permit ip 10.10.10.0 255.255.255.0 10.10.11.0 255.255.255.0
access-list 116 permit ip any 10.10.11.0 255.255.255.0
access-list 116 permit ip 10.10.11.0 255.255.255.0 10.10.10.0 255.255.255.0
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside 209.x.x.x 255.255.255.224
ip address inside 10.10.10.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnpool 172.16.1.0-172.16.1.50
global (outside) 1 interface
global (outside) 10 209.x.x.x 255.255.255.224
nat (inside) 0 access-list 101
nat (inside) 10 10.10.10.0 255.255.255.0 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 209.x.x.x 1
timeout xlate 1:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto dynamic-map vpnclients-dynmap 10 set transform-set myset
crypto map myset1 35 ipsec-isakmp
crypto map myset1 35 match address 116
crypto map myset1 35 set peer x.x.x.x
crypto map myset1 35 set transform-set myset1
crypto map myset1 90 ipsec-isakmp dynamic vpnclients-dynmap
crypto map myset1 client configuration address initiate
crypto map myset1 client configuration address respond
crypto map myset1 interface outside
isakmp enable outside
isakmp key ******** address x.x.x.x netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp nat-traversal 20
isakmp policy 15 authentication pre-share
isakmp policy 15 encryption 3des
isakmp policy 15 hash sha
isakmp policy 15 group 1
isakmp policy 15 lifetime 28800
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 3600
isakmp policy 25 authentication pre-share
isakmp policy 25 encryption des
isakmp policy 25 hash md5
isakmp policy 25 group 2
isakmp policy 25 lifetime 3600
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption aes-256
isakmp policy 30 hash sha
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
vpngroup mygroup address-pool vpnpool
vpngroup mygroup dns-server dns1 dns2
vpngroup mygroup wins-server wins1 wins2
vpngroup mygroup default-domain mydomain
vpngroup mygroup split-tunnel splitTunnel
vpngroup mygroup idle-time 64000
vpngroup mygroup password **********
telnet timeout 5
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
Solved! Go to Solution.
03-19-2007 12:41 AM
Hi Rollo,
You can not implement it for a simple reason, it is not supported on the the PIX version 6.x. It is supported on the PIX ver 7.x but 7.x is not supported on PIX 506. So, in a nutshell, it can not be achieved on a PIX 506. If you have an ASA, a PIX 515 running 7.x, a router or even a concentrator, it can be achieved.
HTH,
Please rate if it helps,
Regards,
Kamal
03-19-2007 12:41 AM
Hi Rollo,
You can not implement it for a simple reason, it is not supported on the the PIX version 6.x. It is supported on the PIX ver 7.x but 7.x is not supported on PIX 506. So, in a nutshell, it can not be achieved on a PIX 506. If you have an ASA, a PIX 515 running 7.x, a router or even a concentrator, it can be achieved.
HTH,
Please rate if it helps,
Regards,
Kamal
06-03-2008 08:19 AM
Thanks Kamal.
What is this configuration called? How is it achieved with 7.x or an ASA (we have both).
06-29-2008 05:03 AM
I am also interested... please report your workaround. Thanks ;)
06-29-2008 07:04 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide