Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1232
Views
0
Helpful
5
Replies

VPN to ASA 5505 and access network behind PIX 506E

Sil3ncer1986
Level 1
Level 1

‎07-08-2011 01:38 AM

Here's the scenario. I have 2 firewalls in my network: ASA 5505 and PIX 506E. Both firewalls's internal network is in the 192.168.0.0/24 subnet but their external addresses are different of course. The inside IP for ASA 5505 is 192.168.0.254/24 whereas the PIX is 192.168.0.1/24. I've successfully configured VPN on the ASA 5505. I'm able to VPN to the ASA and can ping/access hosts that have the 192.168.0.254 as their gateways.

However, I'm unable to ping/access hosts behind the PIX. What do I need to do in order to allow access to the network behind the PIX after I VPN to the ASA? Also, I'm unable to ping 192.168.0.254 after I VPN to the ASA.

Labels:
0 Helpful
5 Replies 5

Jennifer Halim
Cisco Employee
Cisco Employee

‎07-08-2011 02:47 AM

To ping 192.168.0.254 after you VPN to the ASA, add the following command: management-access inside (this is assuming that your ASA inside interface is named "inside").

Now, with your PIX issue, since the internal network is the same for both inside of ASA and PIX, do you mean that the host behind PIX has default gateway pointing towards the PIX?

This doesn't sound like something that would work if they are connected to the same network.

If you are running PIX version 6.3 and lower, this setup will definitely not work.

If you are running PIX version 7.0 and higher, you can enable "same-security-traffic permit intra-interface" to allow traffic in and out of the same interface. Then you would need to configure the VPN Client pool to point towards the ASA inside interface on the PIX.

0 Helpful

Sil3ncer1986
Level 1
Level 1
In response to Jennifer Halim

‎07-08-2011 06:39 AM

Jennifer, you're right. The host behind the PIX has default gateway pointing towards the PIX. How do I configure the VPN client pool to point towards the ASA inside interface on the PIX?

Btw, it seems as though "same-security-traffic permit intra-interface" doesn't exist on my PIX.

EDIT: The only host that is using 192.168.0.254 as a default gateway is our Exchange server. So, even if the PIX is down, they will still be able to access their emails. The users are on 192.168.0.1. I'm sure everyone knows how crucial email is.

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to Sil3ncer1986

‎07-08-2011 07:22 PM

If "same-security-traffic permit intra-interface" does not exist, that means you are running PIX version 6.3 or lower.

As advised earlier, PIX version 6.3 or lower does not support traffic coming in and out the same interface as this is what you are trying to achieve, ie:

from 192.168.0.x host --> inbound PIX inside interface --> outbound via the same interface on PIX inside interface towards ASA inside interface

This scenario is not supported on PIX running version 6.3 and below.

A few suggestions moving forward:

1) Upgrade PIX to version 7.0 or higher that supports "same-security-traffic permit intra-interface".

2) Change the default gateway of inside host from PIX to ASA inside interface. This might cause further potential problems if email is the only traffic that suppose to go to ASA as there will be a lot of redirection. And you would need to turn off the TCP state check on the firewall if you go with this option.

In general, it is not recommended to send traffic in and out of the same interface of the firewall as firewall as part of its feature, maintains the TCP states information. If it misses one of the state, the connection will be dropped. This is especially true if all traffic are originating from the same subnet, in your case 192.168.0.0/24.

As an example:

TCP SYN: host (192.168.0.25) --> PIX inside interface (192.168.0.1) --> redirect to ASA inside interface (192.168.0.254)

TCP SYN-ACK: ASA inside interface (192.168.0.254) --> directly to the host (192.168.0.25), bypassing PIX inside interface because they are in the same subnet

TCP ACK: host (192.168.0.25) --> PIX inside interface (192.168.0.1), however since PIX misses the SYN-ACK, it will drop the connection as it thinks that it's an attack due to the incomplete TCP state.

Hope this makes sense.

0 Helpful

Sil3ncer1986
Level 1
Level 1
In response to Jennifer Halim

‎07-09-2011 06:11 AM

Jennifer, thanks for your reply. Your 2 suggestions are sound but they might not be feasible at the moment. Each of the firewalls are connected to 2 Cisco 881 router. One router for each firewall. What if I configured routing between the routers - i.e. EIGRP? Will this method work?

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to Sil3ncer1986

‎07-09-2011 06:07 PM

Those 2 routers are connected to the outside interface of the firewalls, right?

The problem is not with the outside (VPN) traffic. The problem is with the clear text traffic on the inside interface after the traffic has been unencrypted.

So no, routing protocols on the outside interface of the firewall doesn't help as the issue is on the inside interface of the firewalls.

0 Helpful
Customers Also Viewed These Support Documents