PIX to PIX VPN coexisting with PIX to VPN Client

Unanswered Question
Dec 31st, 2007
User Badges:

I'm administering a small business network across two offices. Both offices have a PIX501 firewall. Right now we have a working PIX to PIX VPN tunnel between offices and everything is working great. But I am trying to get remove VPN access working for people outside the office with laptops and Cisco VPN Client software. My problem is with NAT 0. I have an access group for the PIX to PIX VPN and an access group for the VPN Client. I can get either VPN to work depending on which access list the NAT 0 statement has, but I can't get both groups to work at the same time. If I put one of the remote clients into the PIX to PIX access group, the remote client connects, but there is no network access. Can someone look at my config and help me??



Attachment: 
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
srue Mon, 12/31/2007 - 15:33
User Badges:
  • Blue, 1500 points or more

nat 0 can only take one acl. combine them both and use just the one acl for nat 0.


macevanscb Thu, 01/03/2008 - 12:26
User Badges:

I've tried this with only one access list. .... see the last couple of sentences in my first post. But I did it again just to make sure. Please see attached config.


And I still have same problem. PIX-to-PIX VPN from other office works fine. But remote VPN from Cisco Client has problems. The VPN tunnel does connect. But the remote PC is not getting connected to the local network. I think there is some kind of routing problem here. But the remote client connected just fine to my server when it had its own access list and the nat 0 set to it, which also, of course, killed the PIX-to-PIX vpn.



Attachment: 
acomiskey Thu, 01/03/2008 - 12:31
User Badges:
  • Green, 3000 points or more

Not a nat 0 problem. Add this to your pix...


isakmp nat-traversal

adam.sellhorn Thu, 01/03/2008 - 12:41
User Badges:

It would seem more scalable and cleaner, in my opinion, to add a no_nat acl with 192.168.2.0/24 and 192.168.4.0/24 and put that in your nat 0 config. Then change your VPN client pool back to 192.168.4.0/24.

acomiskey Thu, 01/03/2008 - 12:44
User Badges:
  • Green, 3000 points or more

I agree Adam. Change your pool back and add nat-traversal and you should be good to go.

macevanscb Thu, 01/03/2008 - 13:00
User Badges:

OK ... this makes total sense to me. What doesn't make sense is a no_nat acl with two destination addresses. I can't decode anything like this out of my 6.3 cmd ref. Can you show me what such an access-list command statement would look like??

acomiskey Thu, 01/03/2008 - 13:12
User Badges:
  • Green, 3000 points or more

access-list nonat permit ip Main 192.168.2.0 255.255.255.0

access-list nonat permit ip Main 192.168.4.0 255.255.255.0

nat (inside) 0 access-list nonat


adam.sellhorn Thu, 01/03/2008 - 13:15
User Badges:

It should look something like:


access-list acl_no_nat permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list acl_no_nat permit ip 192.688.1.0 255.255.255.0 192.168.4.0 255.255.255.0


nat (inside) 0 access-list acl_no_nat


the no NAT access-list can have many destination subnets or IPs in it. All it does is tell the PIX not to NAT traffic going from 192.168.1.0/24 to West or to VPN clients. For example, if you add another site to site VPN you will need to add another line in the acl_no_nat access-list:


access-list acl_no_nat permit ip 192.168.1.0 255.255.255.0


macevanscb Fri, 01/04/2008 - 06:09
User Badges:

Thanks Adam ... it is simple. It just wasn't clear to me that multiple statements could be assigned to the same acl. And its right there in the manual ... second sentence in the Access List Usage. Need to knock down some glass walls in my head and read a little closer.

macevanscb Wed, 01/23/2008 - 07:02
User Badges:

Adam .... I have another access-list question. I want to do something simple: open a port for the remote VPN users. But, to me the access-list doc for this operation in the cmd ref is really cryptic. How would I open port 12345? Do I have to define an object group to do this??



Attachment: 
adam.sellhorn Wed, 01/23/2008 - 07:31
User Badges:

I would recommend changing your vpnwest ip pool to the RmtVPN subnet (192.168.4.0) and then adding an access-list for just no-nat. For example:


remove: access-list vpn_west permit ip ESIMain 255.255.255.0 RmtVPN 255.255.255.0

add: access-list no-nat permit ip ESIMain 255.255.255.0 ESIWest 255.255.255.0

add: access-list no-nat permit ip ESIMain 255.255.255.0 RmtVPN 255.255.255.0

remove: nat (inside) 0 access-list vpn_west

add: nat (inside) 0 access-list no-nat

remove: ip local pool vpnwest 192.168.2.100-192.168.2.110

add: ip local pool rmtvpn 192.168.4.100-192.168.4.110

remove: vpngroup vpnwest address-pool vpnwest

add: vpngroup vpnwest address-pool rmtvpn

remove: vpngroup makvpn address-pool vpnwest

add: vpngroup makvpn address-pool rmtvpn


A lot of this is cosmetics but it will help when troubleshooting. You shouldn't need an access-list on your outside interface to allow remote vpn access to it. Once the client is connected I believe they will have full access to your 192.168.1.0/24 network in this configuration. Are you wanting to restrict this access?

acomiskey Wed, 01/23/2008 - 08:36
User Badges:
  • Green, 3000 points or more

As long as you have "sysopt connection permit-ipsec" there is no need to define an access-list to allow traffic from the vpn client as all traffic will be allowed.

macevanscb Wed, 01/23/2008 - 10:10
User Badges:

Before I discovered the use of multiple access-list commands for one access access group, I had tried the setup you described. It didn't work. The VPN from the west office is different: its a PIX to PIX VPN tunnel that I found docs for on Cisco's site. I believe it works differently from the connections from the VPN Client software that's out on remote laptops. The west office is on 192.168.2.0 and it appears if I remove that network from the config, the VPN from there will not connect. I've attached both the doc I got this from and the config from the west office router. Using the configs in this doc was the only way I could get the PIX-to-PIX VPN to work .... all the other VPN docs were wrong.



Attachment: 
adam.sellhorn Wed, 01/23/2008 - 13:41
User Badges:

It looks as though, based off the provided config, that you are NAT'ing traffic that is supposed to go over the VPN tunnel. You are going to want to have a no-nat access-list on the WestPIX also:


access-list no-nat permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

nat (inside) 0 access-list no-nat


Also, you will want to enable sysopt connection permit-ipsec for the tunnel to come up with your current configuration.


sysopt connection permit-ipsec


You will also need to enable your crypto and isakmp commands again. Issue the same commands that are in your WestPIX config with the no crypto... and no isakmp... without the "no" in front. The following command will need to change also:


crypto map outside_map 20 match address inside_outbound_nat0_acl


to:


crypto map outside_map 20 match address no-nat


This is due to the access-list inside_outbound_nat0_acl not existing.


I hope this helps.

adam.sellhorn Wed, 01/23/2008 - 14:04
User Badges:

It looks as though, based off the provided config, that you are NAT'ing traffic that is supposed to go over the VPN tunnel. You are going to want to have a no-nat access-list on the WestPIX also:


access-list no-nat permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

nat (inside) 0 access-list no-nat


Also, you will want to enable sysopt connection permit-ipsec for the tunnel to come up with your current configuration.


sysopt connection permit-ipsec


You will also need to enable your crypto and isakmp commands again. Issue the same commands that are in your WestPIX config with the no crypto... and no isakmp... without the "no" in front. The following command will need to change also:


crypto map outside_map 20 match address inside_outbound_nat0_acl


to:


crypto map outside_map 20 match address no-nat


This is due to the access-list inside_outbound_nat0_acl not existing.


I hope this helps.

Actions

This Discussion