SITE-to-SITE and VPN client access to remote LAN

Unanswered Question
Feb 13th, 2007


I'm doing a test with 2 506's and VPN clients.

I want the following:

LAN 1 ----PIX1 ----Internet---- PIX2 LAN2

and VPN clients connecting to the PIX 2 so that they can access LAN 1 and LAN 2

I've configured the site to site successful and also the VPNclient connection to the PIX2. But those clients can't access LAN1.

I'm close but I can't put my vinger on it.



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Kamal Malhotra Tue, 02/13/2007 - 11:36

Hi Lenore,

It will not work. You are using a PIX 506 which does not support ver 7.x and because of that it does not support traffic redirection (U-turning). You need atleast a PIX 515 for this and 7.x code. Or you can send the traffic in and get it routed from inside the firewall.



workorderps Tue, 03/20/2007 - 03:24

Hi, I have a couple of 501s installed with the same config but I can't get vpnclient to connect to neither PIX. I can configure a site-site tunnel, or client vpn access but not both at the same time.

1st any pointers that I need to look for?

2nd should I move to ASA5505 instead?


acomiskey Tue, 03/20/2007 - 07:04

You can have a remote access vpn and a lan-to-lan tunnel at the same time. What you cannot do with your 501 is have remote access clients connect to the vpn and then bounce off the pix and cross the lan-to-lan tunnel. If you are just trying to get vpn clients to connect to the pix, then you must have a configuration problem. If you are trying to do what original poster was trying to do, you would also not be able to without version 7, which your 501 doesnt support.

workorderps Tue, 03/20/2007 - 15:59

Thanks for your reply, no I wasn't really getting that far as the original poster. I can't get the basic config to work. Whenever I add the nat (inside) 0 the lan to lan tunnel goes down. I'm attaching my running config and the vpnclient config I'm tryin to invoke.

acomiskey Tue, 03/20/2007 - 16:12

Add your new nat exempt traffic to your existing nat 0 acl instead of creating a new one.

access-list 90 permit ip

access-list 90 permit ip

nat (inside) 0 access-list 90

workorderps Wed, 03/21/2007 - 05:53

Thanks!. Same applied to crypto map. Now I can connect with the vpn-client and keep the existing lan to lan tunnel up, but can't get any data through to the vpn-client. f.ex. udp port 53 for dns lookups. Connection is being built, and then teardown - but I have no responses to the client. I'm either missing something obvious in my acl or ???

I'm attaching current config, pls have a look.

cheers / Peter

acomiskey Wed, 03/21/2007 - 06:02

I think I should have mentioned this before but you should not use the same access-list for your crypto acl and your nat 0 acl. Do this. Leave acl 90 for your crypto acl for your lan to lan tunnel. Then create a new acl for your nat 0 traffic which will include lan to lan and remote vpn traffic.

access-list 90 permit ip

no access-list 90 permit ip log 4

no access-list 90 permit ip any log 4

no nat (inside) 0 access-list 90

access-list 95 permit ip

access-list 95 permit ip

nat (inside) 0 access-list 95

let me know if that works, please rate if these help. Yes, and thanks Kanisha, the split tunnel acl should change as well.

kaachary Wed, 03/21/2007 - 06:04

AS per your configuration, you are using the same ACL for nonat , split tunnel and crypto map (site to site) . This will never work, as all the client traffic is now being sent tot the site to site tunnel.

You have to make the following changes for this to work :

no crypto map toLund interface outside

no access-list 90

access-list 90 permit ip

access-list nonat permit ip

access-list nonat permit ip

access-list split permit ip

nat (inside) 0 access-list nonat

crypto map toLund 20 match address 90

vpngroup Petena split-tunnel split

no crypto map toLund 10 ipsec-isakmp dynamic outside_dyn_map

crypto map toLund 100 ipsec-isakmp dynamic outside_dyn_map

crypto map toLund interface outside

That would do it !!

*Please rate if helped.



This Discussion