02-13-2007 10:30 AM - edited 02-21-2020 02:52 PM
Hi,
I'm doing a test with 2 506's and VPN clients.
I want the following:
LAN 1 ----PIX1 ----Internet---- PIX2 LAN2
and VPN clients connecting to the PIX 2 so that they can access LAN 1 and LAN 2
I've configured the site to site successful and also the VPNclient connection to the PIX2. But those clients can't access LAN1.
I'm close but I can't put my vinger on it.
thx
Lenore
02-13-2007 11:36 AM
Hi Lenore,
It will not work. You are using a PIX 506 which does not support ver 7.x and because of that it does not support traffic redirection (U-turning). You need atleast a PIX 515 for this and 7.x code. Or you can send the traffic in and get it routed from inside the firewall.
HTH,
Kamal
03-20-2007 03:24 AM
Hi, I have a couple of 501s installed with the same config but I can't get vpnclient to connect to neither PIX. I can configure a site-site tunnel, or client vpn access but not both at the same time.
1st any pointers that I need to look for?
2nd should I move to ASA5505 instead?
/Peter
03-20-2007 07:04 AM
You can have a remote access vpn and a lan-to-lan tunnel at the same time. What you cannot do with your 501 is have remote access clients connect to the vpn and then bounce off the pix and cross the lan-to-lan tunnel. If you are just trying to get vpn clients to connect to the pix, then you must have a configuration problem. If you are trying to do what original poster was trying to do, you would also not be able to without version 7, which your 501 doesnt support.
03-20-2007 03:59 PM
03-20-2007 04:12 PM
Add your new nat exempt traffic to your existing nat 0 acl instead of creating a new one.
access-list 90 permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 90 permit ip 192.168.2.0 255.255.255.0 10.10.10.0 255.255.255.0
nat (inside) 0 access-list 90
03-21-2007 05:53 AM
Thanks!. Same applied to crypto map. Now I can connect with the vpn-client and keep the existing lan to lan tunnel up, but can't get any data through to the vpn-client. f.ex. udp port 53 for dns lookups. Connection is being built, and then teardown - but I have no responses to the client. I'm either missing something obvious in my acl or ???
I'm attaching current config, pls have a look.
cheers / Peter
03-21-2007 06:02 AM
I think I should have mentioned this before but you should not use the same access-list for your crypto acl and your nat 0 acl. Do this. Leave acl 90 for your crypto acl for your lan to lan tunnel. Then create a new acl for your nat 0 traffic which will include lan to lan and remote vpn traffic.
access-list 90 permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
no access-list 90 permit ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0 log 4
no access-list 90 permit ip 192.168.0.0 255.255.255.0 any log 4
no nat (inside) 0 access-list 90
access-list 95 permit ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list 95 permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
nat (inside) 0 access-list 95
let me know if that works, please rate if these help. Yes, and thanks Kanisha, the split tunnel acl should change as well.
03-21-2007 06:04 AM
AS per your configuration, you are using the same ACL for nonat , split tunnel and crypto map (site to site) . This will never work, as all the client traffic is now being sent tot the site to site tunnel.
You have to make the following changes for this to work :
no crypto map toLund interface outside
no access-list 90
access-list 90 permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list nonat permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list nonat permit ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list split permit ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0
nat (inside) 0 access-list nonat
crypto map toLund 20 match address 90
vpngroup Petena split-tunnel split
no crypto map toLund 10 ipsec-isakmp dynamic outside_dyn_map
crypto map toLund 100 ipsec-isakmp dynamic outside_dyn_map
crypto map toLund interface outside
That would do it !!
*Please rate if helped.
-Kanishka
03-23-2007 02:29 AM
thank you both guys, this did the trick.
/Peter
03-23-2007 05:13 AM
Glad to know it worked. How abt a rating ;-)
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: