VPN on PIX

Answered Question
Mar 14th, 2008
User Badges:

Hi, We have configured Pix firewall on two sites and both are connected by Tunnel and everything is working fine and as well as we have configured remote vpn on both firewall and we have set the DHCP range of remote Vpn which is different of the inside network and configured exempt traffic between Vpn and Inside network in both firewall. But now I want that the Vpn client nodes access the other fireall inside network as well. Details are given below:-

1) First Firewall (India) Conf:-

Inside 192.168.12.0/24

Outside *.*.*.*

VPN DHCP Range 192.168.253.0\24


2)Second Firewall conf:-

Inside 192.168.10.0/254

Outside :- ****

VPN DHCP Range 192.168.252.0/24


Now what configuration should I made so that the vpn client of ist firewall could able to access the other Firewall network. And is it possible on Pix 500 series or ASA Series. Thanks

Correct Answer by husycisco about 9 years 1 month ago

India


access-list outside_nat0_outbound permit ip 192.168.13.0 255.255.255.0 192.168.50.0 255.255.255.0

access-list outside_nat0_outbound permit ip 192.168.13.0 255.255.255.0 192.168.51.0 255.255.255.0

nat (outside) 0 access-list outside_nat0_outbound outside

access-list outside_cryptomap_2 extended permit ip 192.168.13.0 255.255.255.0 192.168.50.0 255.255.255.0

access-list outside_cryptomap_2 extended permit ip 192.168.13.0 255.255.255.0 192.168.51.0 255.255.255.0

clear xlate



Rwanda

access-list outside_cryptomap_1 extended permit ip 192.168.51.0 255.255.255.0 192.168.13.0 255.255.255.0

access-list outside_cryptomap_1 extended permit ip 192.168.50.0 255.255.255.0 192.168.13.0 255.255.255.0


Do the above in their respective order


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
cisco24x7 Sun, 03/16/2008 - 06:04
User Badges:
  • Silver, 250 points or more

Definitely possible. It's called hairpin.

you can do it with Pix or ASA in version

7.x or higher.


CCIE Security

francisco_1 Sun, 03/16/2008 - 08:31
User Badges:
  • Gold, 750 points or more

firstly make sure the tunnel is active between both firewalls and make sure both firewalls can ping each other inside interface.


since your ipsec tunnel already exit between your PIX you only need to define the traffic you are interested in on your ipsec tunnel between your pix.


for example, to allow the first firewall vpn clients (192.168.253.0/24) to access firewall 2 inside interface (192.168.10.0/24), you will need to Defines interesting traffic that is protected by the IPSec tunnel


on firewall 2:

1, Defines interesting traffic that is protected by the IPSec tunnel.

access-list 101 (use current acl applied to your currect ipsec policy) permit ip 192.168.10.0 255.255.255.0 192.168.253.0 255.255.255.0


2, Do not perform NAT for traffic to other PIX Firewall.

access-list inside_nat0_outbound permit ip 192.168.10.0 255.255.255.0 192.168.253.0 255.255.255.0


3, Tell the PIX not to NAT any traffic deemed interesting for IPSec.

nat (inside) 0 access-list 101


Might be a good idea to upload your pix vpn config so i can be more helpful.



Franco.



francisco_1 Sun, 03/16/2008 - 08:32
User Badges:
  • Gold, 750 points or more

i suggest you use the PIX PDM to make changes instead if you are not familiar with the CLI.

ray_stone Fri, 06/06/2008 - 03:57
User Badges:

Hi, I went with the same above example but not able to access the Firewall 2 inside network as I am connecting to Firewall 1 by remote VPN. Now anyone give me the solution.


Is it required any access-list crypto setting?


The site to site tunnel is set with esp-des-md5 but when i connect to VPN and see the status then it shows the encryption 128 AES and authentication Hmac-sha1Thanks

ray_stone Fri, 06/06/2008 - 04:51
User Badges:

Hi, can anyone responds please... I have to resolve this issue on priority basis. Thanks

husycisco Fri, 06/06/2008 - 05:02
User Badges:
  • Gold, 750 points or more

Hi Ray,

1) A very important detail, what you want to do is allowing traffic which enters outside interface to exit the same interface. (VPN client at outside interface enters interface and exits to VPN tunnel that is again connected to outside) This is called hairpinning or U-Turn. And the command which enables this is NOT! same-security-traffic permit inter-interface. It is intra-interface

2)Exempt NAT statement should not be applied to inside interface. This traffic never enters inside.


India

access-list outside_nat0_outbound permit ip 192.168.253.0 255.255.255.0 192.168.10.0 255.255.255.0

nat (outside) 0 access-list outside_nat0_outbound outside

access-list Interestingtrafficacl permit ip 192.168.253.0 255.255.255.0 192.168.10.0

same-security-traffic permit intra-interface

clear xlate


Second Firewall

access-list outside_nat0_outbound permit ip 192.168.252.0 255.255.255.0 192.168.12.0 255.255.255.0

nat (outside) 0 access-list outside_nat0_outbound outside

access-list Interestingtrafficacl permit ip 192.168.252.0 255.255.255.0 192.168.12.0

same-security-traffic permit intra-interface

clear xlate


If you post sanitized config of sites, I will do on-config corrections

Regards

ray_stone Fri, 06/06/2008 - 05:14
User Badges:

I didn't able to understand following command:-


same-security-traffic permit intra-interface


Thanks

ray_stone Fri, 06/06/2008 - 05:34
User Badges:

Hi, both FW configuration are attached and here I would like to provide the access of VPN only on India FW and want to access other DMZ and Inside network of Rwanda FW. Please suggest which of the command has to be add and which of the commands has to be remove. Thanks.



Attachment: 
husycisco Fri, 06/06/2008 - 05:17
User Badges:
  • Gold, 750 points or more

As I explained, it will make you able to connect your VPN client which is terminated at outside interface of firewall1 over the tunnel to the remote VPN peer firewall2 which is also terminated at outside interface. Simply follow the commands I posted

Correct Answer
husycisco Fri, 06/06/2008 - 05:56
User Badges:
  • Gold, 750 points or more

India


access-list outside_nat0_outbound permit ip 192.168.13.0 255.255.255.0 192.168.50.0 255.255.255.0

access-list outside_nat0_outbound permit ip 192.168.13.0 255.255.255.0 192.168.51.0 255.255.255.0

nat (outside) 0 access-list outside_nat0_outbound outside

access-list outside_cryptomap_2 extended permit ip 192.168.13.0 255.255.255.0 192.168.50.0 255.255.255.0

access-list outside_cryptomap_2 extended permit ip 192.168.13.0 255.255.255.0 192.168.51.0 255.255.255.0

clear xlate



Rwanda

access-list outside_cryptomap_1 extended permit ip 192.168.51.0 255.255.255.0 192.168.13.0 255.255.255.0

access-list outside_cryptomap_1 extended permit ip 192.168.50.0 255.255.255.0 192.168.13.0 255.255.255.0


Do the above in their respective order


ray_stone Fri, 06/06/2008 - 06:34
User Badges:

Thanks everyone... The problem has been solved. I appreciate...

ray_stone Fri, 06/06/2008 - 06:45
User Badges:

Hey, how can i start the ping from Vpn to firewall rwanda network. Thanks

ray_stone Fri, 06/06/2008 - 22:28
User Badges:

After connecting VPN, when I try to ping the Rwanda Network then the ICMP request is getting blocked as I review in ASDM login details. Anyone suggest what should I do to open ICMP request. Thanks..

husycisco Sat, 06/07/2008 - 05:30
User Badges:
  • Gold, 750 points or more

Ray,

In both india and Rwanda, add the following


policy-map global_policy

class inspection_default

inspect icmp


Actions

This Discussion