07-18-2005 08:18 PM
Hi
I have configured a remote access vpn using pix firewall. It is working properly. I have a requrement that remote vpn clients should connect each other. How do I do it?
07-18-2005 11:58 PM
Hi,
you cannot make the two remote clients to communicate directly in VPN connection. you gotta make the PIX as the central hub and make the clients as spokes. IN PIX you need to make certain config changes.
here is an example
client A ------ PIX ------- client B
10.1.x.x 10.2.x.x 10.3.x.x
u gotta add a route in PIX saying 10.1.x.x shud be forwarded to 10.3.x.x and vice versa. also u need to change the access-list for VPN traffic extending it for both the LANs (i mean clients). Hope this wud help you.
07-19-2005 02:55 AM
how do I define the route for this vpn traffic. Can u give me the command syntax.
07-19-2005 03:49 AM
Hi Peter,
Will it be possible for you to gimme your PIX config (exclude all the confidential data). This would help me to point at the right config part for the changes.
07-19-2005 04:12 AM
Hi
here is my firewall configuration
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname pfw1
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list nonat permit ip 192.168.0.0 255.255.255.0 10.1.1.0
255.255.255.0
access-list split_tunnel permit ip 192.168.0.0 255.255.255.0 10.1.1.0
255.255.25
5.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 192.168.2.1 255.255.255.0
ip address inside 192.168.0.200 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool pool1 10.1.1.1
ip local pool pool2 10.1.1.2
ip local pool pool3 10.1.1.3
ip local pool pool4 10.1.1.5
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 192.168.0.0 255.255.255.0 0 0
route outside 0.0.0.0 0.0.0.0 192.168.2.200 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.0.81 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set megset esp-3des esp-md5-hmac
crypto dynamic-map mapA 10 set transform-set megset
crypto map mapA client configuration address initiate
crypto map mapA client configuration address respond
crypto map mapB 10 ipsec-isakmp dynamic mapA
crypto map mapB interface outside
isakmp enable outside
isakmp nat-traversal 100
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup client1 address-pool pool1
vpngroup client1 split-tunnel split_tunnel
vpngroup client1 idle-time 1800
vpngroup client1 password ********
vpngroup client2 address-pool pool2
vpngroup client2 split-tunnel split_tunnel
vpngroup client2 idle-time 1800
vpngroup client2 password ********
vpngroup client3 address-pool pool3
vpngroup client3 split-tunnel split_tunnel
vpngroup client3 idle-time 1800
vpngroup client3 password ********
vpngroup client4 address-pool pool4
vpngroup client4 split-tunnel split_tunnel
vpngroup client4 idle-time 1800
vpngroup client4 password ********
vpngroup client5 address-pool pool5
vpngroup client5 split-tunnel split_tunnel
vpngroup client5 idle-time 1800
vpngroup client5 password ********
telnet 192.168.0.0 255.255.255.0 inside
telnet 10.1.1.0 255.255.255.0 inside
07-19-2005 05:22 AM
Hi Peter,
I have seen your configuration. In the configuration, I can see that your peers get the IP address of 10.1.1.x range. In this case, when two clients are connected, they are as good as being in the same LAN as the inside of PIX. This means all are in the same subnet. We don't need any more commands for communication to happen between the hosts of the same LAN.
Infact, you can try this... let two clients connect to the PIX (VPN) simultaneously. Once the VPN comes up for both of them, let one client ping the inside of PIX (shud be success) and then to the other client's virtual IP assigned by PIX (shud also be successful). If you have the NetBIOS enabled, you can try accessing the other client using host name.
Please check the above and comment.
07-19-2005 05:42 AM
I believe there is another aspect that must be addressed. In the PIX implementation there has been a restriction that a device connecting from outside could not be rerouted back to another outside destination. I believe that restriction was lifted in version 7.0. I believe that in the version of code currently running on this PIX the outside to outside will not work. If they upgrade to version 7.0 it can work.
HTH
Rick
06-15-2006 08:13 PM
Has anyone tried this? I have the exact same problem. Does PIX 7.0 or higher fix this?
06-16-2006 07:49 AM
Yes PIX 7.0 does fix this.
HTH
Rick
07-19-2005 06:00 AM
Hi
after the vpn is stablished from two clients, I tried to ping each others addresses as you said i.e. from 10.1.1.1 to 10.1.1.2, but no luck
07-19-2005 06:16 AM
Peter,
As rburts say, it might be the problem that outside client will not be able to access outside client. Don't try PING, try something else. Letz say, share a folder in one of the client and use this (from the command prompt) of the other client.
c:\>net use \\
it will then ask you for the password. give the password of that user and try to map the drive.
If this doesn't work, the only work around is to take a dedicated PC in PIX inside and make it as a terminal server (not exactly windows, anything would do. Even you can do a RDC from the terminal host)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide