Site to site VPN with VPN Client access to both sites?

Answered Question
Mar 18th, 2007

Current:

Scenario is remote office to main office. Site to site IPSEC tunnel from remote (netscreen) to main (pix 506e). Users use Cisco VPN Client to access main office remotely.

This is all working perfectly.

Problem:

Now we want remote users who connect to the main office to also be able to access resources in the remote office.

This seems like it would be easy to implement but I cannot figure it out.

Thanks in advance.

Rollo

----------

#10.10.10.0 = network1

#10.10.11.0 = network2

#172.16.1.0 = vpn pool

PIX Version 6.3(4)

access-list 101 permit ip 10.10.10.0 255.255.255.0 172.16.1.0 255.255.255.0

access-list 101 permit ip 10.10.10.0 255.255.255.0 10.10.11.0 255.255.255.0

access-list splitTunnel permit ip 10.10.10.0 255.255.255.0 any

access-list splitTunnel permit ip 10.10.11.0 255.255.255.0 any

access-list 115 permit ip any 172.16.1.0 255.255.255.0

access-list 116 permit ip 10.10.10.0 255.255.255.0 10.10.11.0 255.255.255.0

access-list 116 permit ip any 10.10.11.0 255.255.255.0

access-list 116 permit ip 10.10.11.0 255.255.255.0 10.10.10.0 255.255.255.0

icmp permit any outside

icmp permit any inside

mtu outside 1500

mtu inside 1500

ip address outside 209.x.x.x 255.255.255.224

ip address inside 10.10.10.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool vpnpool 172.16.1.0-172.16.1.50

global (outside) 1 interface

global (outside) 10 209.x.x.x 255.255.255.224

nat (inside) 0 access-list 101

nat (inside) 10 10.10.10.0 255.255.255.0 0 0

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 209.x.x.x 1

timeout xlate 1:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set myset esp-3des esp-sha-hmac

crypto dynamic-map vpnclients-dynmap 10 set transform-set myset

crypto map myset1 35 ipsec-isakmp

crypto map myset1 35 match address 116

crypto map myset1 35 set peer x.x.x.x

crypto map myset1 35 set transform-set myset1

crypto map myset1 90 ipsec-isakmp dynamic vpnclients-dynmap

crypto map myset1 client configuration address initiate

crypto map myset1 client configuration address respond

crypto map myset1 interface outside

isakmp enable outside

isakmp key ******** address x.x.x.x netmask 255.255.255.255 no-xauth no-config-mode

isakmp identity address

isakmp nat-traversal 20

isakmp policy 15 authentication pre-share

isakmp policy 15 encryption 3des

isakmp policy 15 hash sha

isakmp policy 15 group 1

isakmp policy 15 lifetime 28800

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

isakmp policy 20 hash sha

isakmp policy 20 group 2

isakmp policy 20 lifetime 3600

isakmp policy 25 authentication pre-share

isakmp policy 25 encryption des

isakmp policy 25 hash md5

isakmp policy 25 group 2

isakmp policy 25 lifetime 3600

isakmp policy 30 authentication pre-share

isakmp policy 30 encryption aes-256

isakmp policy 30 hash sha

isakmp policy 30 group 2

isakmp policy 30 lifetime 86400

vpngroup mygroup address-pool vpnpool

vpngroup mygroup dns-server dns1 dns2

vpngroup mygroup wins-server wins1 wins2

vpngroup mygroup default-domain mydomain

vpngroup mygroup split-tunnel splitTunnel

vpngroup mygroup idle-time 64000

vpngroup mygroup password **********

telnet timeout 5

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

I have this problem too.
0 votes
Correct Answer by Kamal Malhotra about 9 years 10 months ago

Hi Rollo,

You can not implement it for a simple reason, it is not supported on the the PIX version 6.x. It is supported on the PIX ver 7.x but 7.x is not supported on PIX 506. So, in a nutshell, it can not be achieved on a PIX 506. If you have an ASA, a PIX 515 running 7.x, a router or even a concentrator, it can be achieved.

HTH,

Please rate if it helps,

Regards,

Kamal

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
Kamal Malhotra Mon, 03/19/2007 - 00:41

Hi Rollo,

You can not implement it for a simple reason, it is not supported on the the PIX version 6.x. It is supported on the PIX ver 7.x but 7.x is not supported on PIX 506. So, in a nutshell, it can not be achieved on a PIX 506. If you have an ASA, a PIX 515 running 7.x, a router or even a concentrator, it can be achieved.

HTH,

Please rate if it helps,

Regards,

Kamal

rollotomnasi Tue, 06/03/2008 - 08:19

Thanks Kamal.

What is this configuration called? How is it achieved with 7.x or an ASA (we have both).

gerdpleyer Sun, 06/29/2008 - 05:03

I am also interested... please report your workaround. Thanks ;)

Actions

This Discussion