Re: VPN to multiple internal networks

skcarter · ‎04-10-2005

Hi

I have vpn services setup on our Pix 515

I have 2 internal networks behind my firewall.

Network 1 is on the same subnet as the pix inside interface.

Network 2 is one hop removed on another vlan.

Traffic is passing between these 2 netowrks and both network can access the internet.

The users on network 2 cannot access there network via VPN, although the users on network 1 can.

How do i configure my IPsec VPN to allow the users on network 2 to acces there network.

A point to any specific documentation would be appreciated .

gfullage · ‎04-10-2005

You probably have something like the following on your config:

nat (inside) 0 access-list nonat

access-list nonat permit ip

This tells the PIX not to NAT traffic coming from network1 going to the VPN clients. You probably don't have the same for network2, meaning the PIX will NAT this traffic rather than encrypt it. Add the following and you should be good to go:

access-list nonat permit ip

Also make sure the router connecting network1 to network2 has a route to the VPN client pool that points to the inside interface of the PIX.

skcarter · ‎04-11-2005

here is what i have for the 2 internal networks.

This should work right?

access-list 102 permit ip 10.40.1.0 255.255.255.0 10.40.1.0 255.255.255.0

access-list 102 permit ip 10.20.1.0 255.255.255.0 10.20.1.0 255.255.255.0

---------

nat (inside) 0 access-list 102

I pulled the client pool from network 1 and network 2 has access to all the hosts on network 1

Patrick Iseli · ‎04-11-2005

No, this looks not ok. I think you mixed up your config with the STATIC example to disable NAT.

Supposing that your VPN Pool is 10.10.1.0 and Internal network 1 is 10.40.1.0 ans network 2 is 10.20.1.0.

Then it would look like that:

Syntax:

access-list nonat permit ip

example:

access-list 102 permit ip 10.40.1.0 255.255.255.0 10.10.1.0 255.255.255.0

access-list 102 permit ip 10.20.1.0 255.255.255.0 10.10.1.0 255.255.255.0

Do not forget to add a route to the network 1 or 2 if it is via another router on the inside interface and of course a route to the VPN Pool on the inside Router with the PIX as gateway.

example:

route inside 10.20.1.0 255.255.255.0 InsideRouterIP

sincerely

Patrick

skcarter · ‎04-11-2005

ok here is the client pool statement i have configured.

ip local pool thelocalpool 10.40.1.210-10.40.1.220

thats what I meant when I said it was pulled from network 1

--------------

here is the original access list for no nat

access-list 102 permit ip 10.40.1.0 255.255.255.0 10.40.1.0 255.255.255.0

access-list 102 permit ip 10.20.1.0 255.255.255.0 10.20.1.0 255.255.255.0

---------------------------------

should it look like this enstead?

access-list 102 permit ip 10.40.1.0 255.255.255.0 10.40.1.0 255.255.255.0

access-list 102 permit ip 10.20.1.0 255.255.255.0 10.40.1.0 255.255.255.0

Thanks for your help BTW.

mostiguy · ‎04-11-2005

No, you need

access-list 102 permit ip first.inside.subnet.here 255.255.255.0 10.40.1.0 255.255.255.0

access-list 102 permit ip second.inside.subnet.here 255.255.255.0 10.40.1.0 255.255.255.0

skcarter · ‎04-11-2005

Isnt that what I just posted?

mostiguy · ‎04-11-2005

No, x.x.40.x is the ip local pool, which lives on the *outside* interface as that is from where the vpn clients connect from