Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
462
Views
3
Helpful
9
Replies

VPN client access to system over a VPN tunnel

jimgrumbles
Level 1
Level 1

‎03-31-2008 07:39 AM - edited ‎02-21-2020 03:38 PM

We have a remote location with a PIX 506 that has a VPN tunnel back to an ASA5520 at headquarters. That remote PIX 506 also has a very basic VPN client setup enabled on it that I didn't implement.

Remote subnet: 172.16.50.0/24

Remote VPN client subnet: 172.16.253.0/24

Local (HQ) subnet: 192.168.1.0/24

So someone from the remote location will use the VPN client and connect to the PIX506 and get an IP on 172.16.253.0/24. It can ping anything on 172.16.50.0/24 just fine but cannot hit anything on 192.168.1.0/24, 192.168.1.13 is what I need to get it access to specifically.

Same from the other side. From 192.168.1.0/24 I cannot see anything on 172.16.253.0/24. I assume I don't have the routing totally complete from what I can tell. I tried adding the following to our ASA5520:

route inside 172.16.253.0 255.255.255.0 172.16.50.3 1

172.16.50.3 is the PIX 506's inside IP and I can ping that fine from my workstation IP of 192.168.1.240. However if I try to ping it from the ASAs IP of 192.168.1.23 it doesn't work.

I've attached some pared down configs of both devices. MTY506E.txt is the remote PIX 506 of course and the central HQ ASA is Hilliard_ASA_5520.txt

Labels:
Preview file
60 KB
0 Helpful
9 Replies 9

husycisco
Level 7
Level 7

‎03-31-2008 08:25 AM

Hi Jim,

Apply the following changes in devices mentioned.

---506---

same-security-traffic permit intra-interface

access-list outside_nat0_outboundpermit ip 192.168.1.0 255.255.255.0 172.16.253.0 255.255.255.0

nat (outside) 0 access-list outside_nat0_outbound

no route inside 172.16.253.0 255.255.255.0 172.16.50.3 1

access-list vpn permit ip 172.16.253.0 255.255.255.0 192.168.1.0 255.255.255.0

---5520---

access-list inside_acl permit ip 192.168.1.0 255.255.255.0 172.16.253.0 255.255.255.0

access-list MTY permit ip 192.168.1.0 255.255.255.0 172.16.253.0 255.255.255.0

no route inside 172.16.253.0 255.255.255.0 172.16.50.3

In 506, you may have to issue "clear xlate" which will temporarily disconnect all sessions.

Regards

0 Helpful

jimgrumbles
Level 1
Level 1

‎03-31-2008 08:25 AM

Had the ip pool configured wrong on the 506, here is the newer config.

Preview file
18 KB
0 Helpful

husycisco
Level 7
Level 7
In response to jimgrumbles

‎03-31-2008 08:27 AM

Ahhhhhh, let me re-check....

0 Helpful

husycisco
Level 7
Level 7
In response to husycisco

‎03-31-2008 08:30 AM

Its not a big deal, still 172.16.253 . Anyway if you want to have 30 hosts as you mentioned in you pool command, you should change the netmask to 255.255.255.224.

If you do that change, make the change also in the commands I wrote above, next to 172.16.253.0

0 Helpful

husycisco
Level 7
Level 7
In response to husycisco

‎03-31-2008 08:32 AM

Here is the updated version

---506---

same-security-traffic permit intra-interface

ip local pool ippool 172.16.253.1-172.16.253.30 mask 255.255.255.224

access-list outside_nat0_outboundpermit ip 192.168.1.0 255.255.255.0 172.16.253.0 255.255.255.224

nat (outside) 0 access-list outside_nat0_outbound

no route inside 172.16.253.0 255.255.255.0 172.16.50.3 1

access-list vpn permit ip 172.16.253.0 255.255.255.224 192.168.1.0 255.255.255.0

no access-list nonat permit ip 172.16.50.0 255.255.255.0 172.16.253.0 255.255.255.0

no access-list nonat permit ip 172.16.51.0 255.255.255.0 172.16.253.0 255.255.255.0

no access-list nonat permit ip 172.16.52.0 255.255.255.0 172.16.253.0 255.255.255.0

access-list nonat permit ip 172.16.50.0 255.255.255.0 172.16.253.0 255.255.255.224

access-list nonat permit ip 172.16.51.0 255.255.255.0 172.16.253.0 255.255.255.224

access-list nonat permit ip 172.16.52.0 255.255.255.0 172.16.253.0 255.255.255.224

---5520---

access-list inside_acl permit ip 192.168.1.0 255.255.255.0 172.16.253.0 255.255.255.224

access-list MTY permit ip 192.168.1.0 255.255.255.0 172.16.253.0 255.255.255.224

no route inside 172.16.253.0 255.255.255.0 172.16.50.3

Edited...

0 Helpful

jimgrumbles
Level 1
Level 1
In response to husycisco

‎03-31-2008 08:57 AM

Wow, lightning fast responses. I appreciate it.

Here is what happened when I entered the new nat statement:

MONTERREY-MX-506(config)# nat (outside) 0 access-list outside_nat0_outbound

WARNING: Specified interface is lowest security interface. This statement

WARNING: is not applicable to any traffic.

Also, the same-security-traffic permit intra-interface doesn't seem to work on the PIX 506. It's running 6.3(5).

0 Helpful

husycisco
Level 7
Level 7
In response to jimgrumbles

‎03-31-2008 09:07 AM

Hmm.. try this

nat (outside) 0 access-list outside_nat0_outbound outside

"Also, the same-security-traffic permit intra-interface doesn't seem to work on the PIX 506. It's running 6.3(5)."

Ah... You have to upgrade the IOS, or you can not achieve what you want. Upgrade your IOS in 506 to 7.2

jimgrumbles
Level 1
Level 1
In response to husycisco

‎03-31-2008 10:11 AM

Darn, I thought that might be the case. Just looked at the PIX 7.0 release notes and it doesn't look like the 506 is supported for anything beyond 6.3:

http://www.cisco.com/en/US/docs/security/asa/asa70/pix_upgrade/upgrade/guide/pixupgrd.html#wp1752751

0 Helpful

husycisco
Level 7
Level 7
In response to jimgrumbles

‎03-31-2008 10:33 AM

=( correct. You cant achieve what you want with that equipment. I was going to suggest sub interfacing but again it is not supported in 6.3.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents