03-14-2008 11:30 PM - edited 03-11-2019 05:18 AM
Hi, We have configured Pix firewall on two sites and both are connected by Tunnel and everything is working fine and as well as we have configured remote vpn on both firewall and we have set the DHCP range of remote Vpn which is different of the inside network and configured exempt traffic between Vpn and Inside network in both firewall. But now I want that the Vpn client nodes access the other fireall inside network as well. Details are given below:-
1) First Firewall (India) Conf:-
Inside 192.168.12.0/24
Outside *.*.*.*
VPN DHCP Range 192.168.253.0\24
2)Second Firewall conf:-
Inside 192.168.10.0/254
Outside :- ****
VPN DHCP Range 192.168.252.0/24
Now what configuration should I made so that the vpn client of ist firewall could able to access the other Firewall network. And is it possible on Pix 500 series or ASA Series. Thanks
Solved! Go to Solution.
06-06-2008 05:56 AM
India
access-list outside_nat0_outbound permit ip 192.168.13.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list outside_nat0_outbound permit ip 192.168.13.0 255.255.255.0 192.168.51.0 255.255.255.0
nat (outside) 0 access-list outside_nat0_outbound outside
access-list outside_cryptomap_2 extended permit ip 192.168.13.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list outside_cryptomap_2 extended permit ip 192.168.13.0 255.255.255.0 192.168.51.0 255.255.255.0
clear xlate
Rwanda
access-list outside_cryptomap_1 extended permit ip 192.168.51.0 255.255.255.0 192.168.13.0 255.255.255.0
access-list outside_cryptomap_1 extended permit ip 192.168.50.0 255.255.255.0 192.168.13.0 255.255.255.0
Do the above in their respective order
03-15-2008 06:04 AM
can anyone reply??
03-16-2008 06:04 AM
Definitely possible. It's called hairpin.
you can do it with Pix or ASA in version
7.x or higher.
CCIE Security
03-16-2008 08:31 AM
firstly make sure the tunnel is active between both firewalls and make sure both firewalls can ping each other inside interface.
since your ipsec tunnel already exit between your PIX you only need to define the traffic you are interested in on your ipsec tunnel between your pix.
for example, to allow the first firewall vpn clients (192.168.253.0/24) to access firewall 2 inside interface (192.168.10.0/24), you will need to Defines interesting traffic that is protected by the IPSec tunnel
on firewall 2:
1, Defines interesting traffic that is protected by the IPSec tunnel.
access-list 101 (use current acl applied to your currect ipsec policy) permit ip 192.168.10.0 255.255.255.0 192.168.253.0 255.255.255.0
2, Do not perform NAT for traffic to other PIX Firewall.
access-list inside_nat0_outbound permit ip 192.168.10.0 255.255.255.0 192.168.253.0 255.255.255.0
3, Tell the PIX not to NAT any traffic deemed interesting for IPSec.
nat (inside) 0 access-list 101
Might be a good idea to upload your pix vpn config so i can be more helpful.
Franco.
03-16-2008 08:32 AM
i suggest you use the PIX PDM to make changes instead if you are not familiar with the CLI.
06-06-2008 03:57 AM
Hi, I went with the same above example but not able to access the Firewall 2 inside network as I am connecting to Firewall 1 by remote VPN. Now anyone give me the solution.
Is it required any access-list crypto setting?
The site to site tunnel is set with esp-des-md5 but when i connect to VPN and see the status then it shows the encryption 128 AES and authentication Hmac-sha1Thanks
06-06-2008 04:51 AM
Hi, can anyone responds please... I have to resolve this issue on priority basis. Thanks
06-06-2008 05:02 AM
Hi Ray,
1) A very important detail, what you want to do is allowing traffic which enters outside interface to exit the same interface. (VPN client at outside interface enters interface and exits to VPN tunnel that is again connected to outside) This is called hairpinning or U-Turn. And the command which enables this is NOT! same-security-traffic permit inter-interface. It is intra-interface
2)Exempt NAT statement should not be applied to inside interface. This traffic never enters inside.
India
access-list outside_nat0_outbound permit ip 192.168.253.0 255.255.255.0 192.168.10.0 255.255.255.0
nat (outside) 0 access-list outside_nat0_outbound outside
access-list Interestingtrafficacl permit ip 192.168.253.0 255.255.255.0 192.168.10.0
same-security-traffic permit intra-interface
clear xlate
Second Firewall
access-list outside_nat0_outbound permit ip 192.168.252.0 255.255.255.0 192.168.12.0 255.255.255.0
nat (outside) 0 access-list outside_nat0_outbound outside
access-list Interestingtrafficacl permit ip 192.168.252.0 255.255.255.0 192.168.12.0
same-security-traffic permit intra-interface
clear xlate
If you post sanitized config of sites, I will do on-config corrections
Regards
06-06-2008 05:14 AM
I didn't able to understand following command:-
same-security-traffic permit intra-interface
Thanks
06-06-2008 05:34 AM
06-06-2008 05:02 AM
Please respond asap.
06-06-2008 05:17 AM
As I explained, it will make you able to connect your VPN client which is terminated at outside interface of firewall1 over the tunnel to the remote VPN peer firewall2 which is also terminated at outside interface. Simply follow the commands I posted
06-06-2008 05:56 AM
India
access-list outside_nat0_outbound permit ip 192.168.13.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list outside_nat0_outbound permit ip 192.168.13.0 255.255.255.0 192.168.51.0 255.255.255.0
nat (outside) 0 access-list outside_nat0_outbound outside
access-list outside_cryptomap_2 extended permit ip 192.168.13.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list outside_cryptomap_2 extended permit ip 192.168.13.0 255.255.255.0 192.168.51.0 255.255.255.0
clear xlate
Rwanda
access-list outside_cryptomap_1 extended permit ip 192.168.51.0 255.255.255.0 192.168.13.0 255.255.255.0
access-list outside_cryptomap_1 extended permit ip 192.168.50.0 255.255.255.0 192.168.13.0 255.255.255.0
Do the above in their respective order
06-06-2008 06:34 AM
Thanks everyone... The problem has been solved. I appreciate...
06-06-2008 06:36 AM
You are welcome :)
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: