how do I define the route for this vpn traffic. Can u give me the command syntax.

Hi Peter,

Will it be possible for you to gimme your PIX config (exclude all the confidential data). This would help me to point at the right config part for the changes.

Hi

here is my firewall configuration

PIX Version 6.3(4)

interface ethernet0 auto

interface ethernet1 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

hostname pfw1

domain-name ciscopix.com

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list nonat permit ip 192.168.0.0 255.255.255.0 10.1.1.0

255.255.255.0

access-list split_tunnel permit ip 192.168.0.0 255.255.255.0 10.1.1.0

255.255.25

5.0

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside 192.168.2.1 255.255.255.0

ip address inside 192.168.0.200 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool pool1 10.1.1.1

ip local pool pool2 10.1.1.2

ip local pool pool3 10.1.1.3

ip local pool pool4 10.1.1.5

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 192.168.0.0 255.255.255.0 0 0

route outside 0.0.0.0 0.0.0.0 192.168.2.200 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225

1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 192.168.0.81 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set megset esp-3des esp-md5-hmac

crypto dynamic-map mapA 10 set transform-set megset

crypto map mapA client configuration address initiate

crypto map mapA client configuration address respond

crypto map mapB 10 ipsec-isakmp dynamic mapA

crypto map mapB interface outside

isakmp enable outside

isakmp nat-traversal 100

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup client1 address-pool pool1

vpngroup client1 split-tunnel split_tunnel

vpngroup client1 idle-time 1800

vpngroup client1 password ********

vpngroup client2 address-pool pool2

vpngroup client2 split-tunnel split_tunnel

vpngroup client2 idle-time 1800

vpngroup client2 password ********

vpngroup client3 address-pool pool3

vpngroup client3 split-tunnel split_tunnel

vpngroup client3 idle-time 1800

vpngroup client3 password ********

vpngroup client4 address-pool pool4

vpngroup client4 split-tunnel split_tunnel

vpngroup client4 idle-time 1800

vpngroup client4 password ********

vpngroup client5 address-pool pool5

vpngroup client5 split-tunnel split_tunnel

vpngroup client5 idle-time 1800

vpngroup client5 password ********

telnet 192.168.0.0 255.255.255.0 inside

telnet 10.1.1.0 255.255.255.0 inside

Hi Peter,

I have seen your configuration. In the configuration, I can see that your peers get the IP address of 10.1.1.x range. In this case, when two clients are connected, they are as good as being in the same LAN as the inside of PIX. This means all are in the same subnet. We don't need any more commands for communication to happen between the hosts of the same LAN.

Infact, you can try this... let two clients connect to the PIX (VPN) simultaneously. Once the VPN comes up for both of them, let one client ping the inside of PIX (shud be success) and then to the other client's virtual IP assigned by PIX (shud also be successful). If you have the NetBIOS enabled, you can try accessing the other client using host name.

Please check the above and comment.

I believe there is another aspect that must be addressed. In the PIX implementation there has been a restriction that a device connecting from outside could not be rerouted back to another outside destination. I believe that restriction was lifted in version 7.0. I believe that in the version of code currently running on this PIX the outside to outside will not work. If they upgrade to version 7.0 it can work.

HTH

Rick

Has anyone tried this? I have the exact same problem. Does PIX 7.0 or higher fix this?

Yes PIX 7.0 does fix this.

HTH

Rick

Hi

after the vpn is stablished from two clients, I tried to ping each others addresses as you said i.e. from 10.1.1.1 to 10.1.1.2, but no luck

Peter,

As rburts say, it might be the problem that outside client will not be able to access outside client. Don't try PING, try something else. Letz say, share a folder in one of the client and use this (from the command prompt) of the other client.

c:\>net use \\ /user:

it will then ask you for the password. give the password of that user and try to map the drive.

If this doesn't work, the only work around is to take a dedicated PC in PIX inside and make it as a terminal server (not exactly windows, anything would do. Even you can do a RDC from the terminal host)