06-05-2008 11:50 AM - edited 03-11-2019 05:55 AM
Please see my config below. I have 2 site to site VPNs setup and a pool of Remote VPN users. The site to site VPNs have overlapping private network ranges (192.168.1.x) with my private range which I use for both the hosts that site behind my firewall as well as the remote users (bad practice I know, I'll correct it soon). I've successfully allowed the Site to Site VPN users to access the PUBLIC IP address of 2 specific hosts behind my pix. My remote VPN users can access the 2 specific hosts via the PRIVATE IP addresses only. All other public traffic to the two hosts should be blocked. The problem is, I want the Remote VPN hosts to access these 2 specific hosts by using the public IP address via the VPN tunnel...if I do this now, it uses the internet to resolve the IP and thus gets blocked since no outside traffic is allowed to those hosts. How can I make the traffic to the two hosts go over my remote VPN instead of the internet when split tunneling?
06-05-2008 11:54 AM
PIX Version 7.0(7)
!
hostname XXXX
domain-name XXXX
enable password xxx
names
dns-guard
!
interface Ethernet0
nameif outside
security-level 0
ip address XXX.XXX.XXX.XXX 255.255.255.0
!
interface Ethernet1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
passwd xxx
banner login Enter your password!
boot system flash:/image.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring 1 Sun Apr 2:00 last Sun Oct 2:00
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list internal standard permit any
access-list ACL_OUT extended permit ip 192.168.1.0 255.255.255.0 host HOST-A-PUBLIC-IP
access-list ACL_OUT extended permit ip 192.168.1.0 255.255.255.0 host HOST-B-PUBLIC-IP
access-list inside_nat0_outbound extended permit ip host 192.168.1.7 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip host 192.168.1.4 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip host 192.168.1.3 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip host 192.168.1.2 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip host 192.168.1.6 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip host 192.168.1.5 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip host 192.168.1.10 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip host 192.168.1.9 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 host HOST-A-PUBLIC-IP
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 host HOST-B-PUBLIC-IP
access-list Reg_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list Reg_splitTunnelAcl standard permit host HOST-A-PUBLIC-IP
access-list Reg_splitTunnelAcl standard permit host HOST-B-PUBLIC-IP
access-list INBOUND extended permit esp any interface outside
access-list outside_cryptomap_20 extended permit ip host 192.168.1.9 host XXX
access-list outside_cryptomap_20 extended permit ip host 192.168.1.10 host XXX
access-list outside_cryptomap_20 extended permit ip host 192.168.1.9 host XXX
access-list outside_cryptomap_20 extended permit ip host 192.168.1.10 host XXX
access-list outside_cryptomap_20 extended permit ip host 192.168.1.10 host XXX
access-list outside_cryptomap_20 extended permit ip host 192.168.1.9 host XXX
access-list outside_cryptomap_20 extended permit ip 192.168.1.0 255.255.255.0 host HOST-A-PUBLIC-IP
access-list outside_cryptomap_20 extended permit ip 192.168.1.0 255.255.255.0 host HOST-B-PUBLIC-IP
access-list outside_cryptomap_40 extended permit ip host 192.168.1.9 host XX
access-list outside_cryptomap_40 extended permit ip host 192.168.1.9 host XXX
access-list outside_cryptomap_40 extended permit ip host 192.168.1.10 host XXX
access-list outside_cryptomap_40 extended permit ip host 192.168.1.10 host XXX
06-05-2008 11:55 AM
pager lines 24
logging enable
logging buffered debugging
logging asdm informational
mtu outside 1500
mtu inside 1500
ip local pool vpnpool 192.168.1.100-192.168.1.150 mask 255.255.255.0
asdm image flash:/asdm-507.bin
asdm location 192.168.1.9 255.255.255.255 inside
asdm location 192.168.1.10 255.255.255.255 inside
asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (outside) 1 192.168.1.0 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound
static (inside,outside) XXX 192.168.1.7 netmask 255.255.255.255
static (inside,outside) XXX 192.168.1.5 netmask 255.255.255.255
static (inside,outside) XXX 192.168.1.4 netmask 255.255.255.255
static (inside,outside) XXX 192.168.1.3 netmask 255.255.255.255
static (inside,outside) XXX 192.168.1.2 netmask 255.255.255.255
static (inside,outside) XXX 192.168.1.6 netmask 255.255.255.255
static (inside,outside) HOST-A-PUBLIC-IP 192.168.1.9 netmask 255.255.255.255
static (inside,outside) HOST-A-PUBLIC-IP 192.168.1.10 netmask 255.255.255.255
access-group ACL_OUT in interface outside
route outside 0.0.0.0 0.0.0.0 XXXXX 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
group-policy Reg internal
group-policy Reg attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Reg_splitTunnelAcl
username User1 password xxx encrypted privilege 0
username User1 attributes
vpn-group-policy Reg
group-lock value Reg
http server enable
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-
06-05-2008 11:56 AM
-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 10 set security-association lifetime seconds 86400
crypto dynamic-map dynmap 30 set transform-set ESP-3DES-SHA
crypto dynamic-map dynmap 50 set transform-set ESP-3DES-SHA
crypto dynamic-map dynmap 70 set transform-set ESP-3DES-SHA
crypto dynamic-map dynmap 90 set transform-set ESP-3DES-SHA
crypto dynamic-map dynmap 110 set transform-set ESP-3DES-SHA
crypto dynamic-map dynmap 130 set transform-set ESP-3DES-SHA
crypto dynamic-map dynmap 150 set transform-set ESP-3DES-SHA
crypto dynamic-map dynmap 170 set transform-set ESP-3DES-SHA
crypto dynamic-map dynmap 190 set transform-set ESP-3DES-SHA
crypto dynamic-map dynmap 210 set transform-set ESP-3DES-SHA
crypto map mymap 20 match address outside_cryptomap_20
crypto map mymap 20 set peer XXX
crypto map mymap 20 set transform-set ESP-AES-256-SHA
crypto map mymap 40 match address outside_cryptomap_40
crypto map mymap 40 set peer XXX
crypto map mymap 40 set transform-set ESP-AES-256-SHA
crypto map mymap 65535 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
isakmp identity address
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 65535 authentication pre-share
isakmp policy 65535 encryption 3des
isakmp policy 65535 hash sha
isakmp policy 65535 group 2
isakmp policy 65535 lifetime 86400
isakmp nat-traversal 20
tunnel-group DefaultRAGroup general-attributes
authentication-server-group (outside) none
tunnel-group Reg type ipsec-ra
tunnel-group Reg general-attributes
address-pool vpnpool
default-group-policy Reg
tunnel-group Reg ipsec-attributes
pre-shared-key *
tunnel-group XXX type ipsec-l2l
tunnel-group XXX ipsec-attributes
pre-shared-key *
tunnel-group XXX type ipsec-l2l
tunnel-group XXX ipsec-attributes
pre-shared-key *
no tunnel-group-map enable peer-ip
tunnel-group-map default-group DefaultL2LGroup
telnet timeout 5
ssh XXX 255.255.255.255 outside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
ssh version 1
console timeout 5
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect http
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
ntp server XXX source outside
Cryptochecksum:xxxca
06-06-2008 05:44 PM
Hi Colin,
You should immediately clean up this mess. Add the following in respective order
ip local pool vpn_pool 192.168.30.1-192.168.30.254 mask 255.255.255.0
tunnel-group Reg type ipsec-ra
tunnel-group Reg general-attributes
no address-pool vpnpool
address-pool vpn_pool
no ip local pool vpnpool 192.168.1.100-192.168.1.150 mask 255.255.255.0
no access-list Reg_splitTunnelAcl standard permit host HOST-A-PUBLIC-IP
no access-list Reg_splitTunnelAcl standard permit host HOST-B-PUBLIC-IP
no access-list inside_nat0_outbound extended permit ip any 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound permit ip 192.168.1.0 255.255.255.0 192.168.30.0 255.255.255.0
Regards
06-06-2008 06:31 PM
Why don't you add these hosts to the split-dns configuration? (IF clients are putting in the public hostname)
Else if they are using the IPs directly, this could cover it:
access-list Reg_splitTunnelAcl standard permit host HOST-A-PUBLIC-IP
access-list Reg_splitTunnelAcl standard permit host HOST-B-PUBLIC-IP
Regards
Farrukh
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: