Re: VPN client access to system over a VPN tunnel

jimgrumbles · ‎03-31-2008

We have a remote location with a PIX 506 that has a VPN tunnel back to an ASA5520 at headquarters. That remote PIX 506 also has a very basic VPN client setup enabled on it that I didn't implement.

Remote subnet: 172.16.50.0/24

Remote VPN client subnet: 172.16.253.0/24

Local (HQ) subnet: 192.168.1.0/24

So someone from the remote location will use the VPN client and connect to the PIX506 and get an IP on 172.16.253.0/24. It can ping anything on 172.16.50.0/24 just fine but cannot hit anything on 192.168.1.0/24, 192.168.1.13 is what I need to get it access to specifically.

Same from the other side. From 192.168.1.0/24 I cannot see anything on 172.16.253.0/24. I assume I don't have the routing totally complete from what I can tell. I tried adding the following to our ASA5520:

route inside 172.16.253.0 255.255.255.0 172.16.50.3 1

172.16.50.3 is the PIX 506's inside IP and I can ping that fine from my workstation IP of 192.168.1.240. However if I try to ping it from the ASAs IP of 192.168.1.23 it doesn't work.

I've attached some pared down configs of both devices. MTY506E.txt is the remote PIX 506 of course and the central HQ ASA is Hilliard_ASA_5520.txt

Alan Huseyin Kayahan · ‎03-31-2008

Hi Jim,

Apply the following changes in devices mentioned.

---506---

same-security-traffic permit intra-interface

access-list outside_nat0_outboundpermit ip 192.168.1.0 255.255.255.0 172.16.253.0 255.255.255.0

nat (outside) 0 access-list outside_nat0_outbound

no route inside 172.16.253.0 255.255.255.0 172.16.50.3 1

access-list vpn permit ip 172.16.253.0 255.255.255.0 192.168.1.0 255.255.255.0

---5520---

access-list inside_acl permit ip 192.168.1.0 255.255.255.0 172.16.253.0 255.255.255.0

access-list MTY permit ip 192.168.1.0 255.255.255.0 172.16.253.0 255.255.255.0

no route inside 172.16.253.0 255.255.255.0 172.16.50.3

In 506, you may have to issue "clear xlate" which will temporarily disconnect all sessions.

Regards

jimgrumbles · ‎03-31-2008

Had the ip pool configured wrong on the 506, here is the newer config.

Alan Huseyin Kayahan · ‎03-31-2008

Ahhhhhh, let me re-check....

Alan Huseyin Kayahan · ‎03-31-2008

Its not a big deal, still 172.16.253 . Anyway if you want to have 30 hosts as you mentioned in you pool command, you should change the netmask to 255.255.255.224.

If you do that change, make the change also in the commands I wrote above, next to 172.16.253.0

Alan Huseyin Kayahan · ‎03-31-2008

Here is the updated version

---506---

same-security-traffic permit intra-interface

ip local pool ippool 172.16.253.1-172.16.253.30 mask 255.255.255.224

access-list outside_nat0_outboundpermit ip 192.168.1.0 255.255.255.0 172.16.253.0 255.255.255.224

nat (outside) 0 access-list outside_nat0_outbound

no route inside 172.16.253.0 255.255.255.0 172.16.50.3 1

access-list vpn permit ip 172.16.253.0 255.255.255.224 192.168.1.0 255.255.255.0

no access-list nonat permit ip 172.16.50.0 255.255.255.0 172.16.253.0 255.255.255.0

no access-list nonat permit ip 172.16.51.0 255.255.255.0 172.16.253.0 255.255.255.0

no access-list nonat permit ip 172.16.52.0 255.255.255.0 172.16.253.0 255.255.255.0

access-list nonat permit ip 172.16.50.0 255.255.255.0 172.16.253.0 255.255.255.224

access-list nonat permit ip 172.16.51.0 255.255.255.0 172.16.253.0 255.255.255.224

access-list nonat permit ip 172.16.52.0 255.255.255.0 172.16.253.0 255.255.255.224

---5520---

access-list inside_acl permit ip 192.168.1.0 255.255.255.0 172.16.253.0 255.255.255.224

access-list MTY permit ip 192.168.1.0 255.255.255.0 172.16.253.0 255.255.255.224

no route inside 172.16.253.0 255.255.255.0 172.16.50.3

Edited...

jimgrumbles · ‎03-31-2008

Wow, lightning fast responses. I appreciate it.

Here is what happened when I entered the new nat statement:

MONTERREY-MX-506(config)# nat (outside) 0 access-list outside_nat0_outbound

WARNING: Specified interface is lowest security interface. This statement

WARNING: is not applicable to any traffic.

Also, the same-security-traffic permit intra-interface doesn't seem to work on the PIX 506. It's running 6.3(5).

Alan Huseyin Kayahan · ‎03-31-2008

Hmm.. try this

nat (outside) 0 access-list outside_nat0_outbound outside

"Also, the same-security-traffic permit intra-interface doesn't seem to work on the PIX 506. It's running 6.3(5)."

Ah... You have to upgrade the IOS, or you can not achieve what you want. Upgrade your IOS in 506 to 7.2

jimgrumbles · ‎03-31-2008

Darn, I thought that might be the case. Just looked at the PIX 7.0 release notes and it doesn't look like the 506 is supported for anything beyond 6.3:

http://www.cisco.com/en/US/docs/security/asa/asa70/pix_upgrade/upgrade/guide/pixupgrd.html#wp1752751

Alan Huseyin Kayahan · ‎03-31-2008

=( correct. You cant achieve what you want with that equipment. I was going to suggest sub interfacing but again it is not supported in 6.3.