site to site vpn tunnel allowing remote site access to server

Unanswered Question
Oct 25th, 2008
User Badges:

Remote pix need to access my local server 192.168.0.9 I am not quite sure how to configure. Below is the e-mail received from the remote tech. Also my pix config is attached.

I'm attempting to ping your NAT'd IP address and this is unreachable on our end. Please be sure that your security device allows traffic initiated from remote.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

I am confused from your config:-


access-list cryacl permit ip host 172.24.176.9 host 192.168.50.83

access-list cryacl permit ip host 172.24.176.9 host 192.168.50.86


global (outside) 1 172.24.176.9


The above stats the source network of 172.24.176.9 to 192.168.50.83 & 86 can inititate the VPN from the PIX - BUT ip address inside 192.168.0.254 255.255.255.0


You do not have a local 172.24.176.0/24 - this is a global NAT from the inside to the outside. You cannot do this.


access-list policynat permit ip 192.168.0.0 255.255.255.0 host 192.168.50.83

access-list policynat permit ip 192.168.0.0 255.255.255.0 host 192.168.50.86


nat (inside) 1 access-list policynat 0 0


This config states to not nat traffic from 192.168.0.0 to 192.168.50.83 & 192.168.50.86 - this will work for the VPN. But the VPN cannot establish because the first config is wrong.



Change:-


access-list cryacl permit ip host 172.24.176.9 host 192.168.50.83

access-list cryacl permit ip host 172.24.176.9 host 192.168.50.86


to


access-list cryacl permit ip 192.168.0.0 255.255.255.0 host 192.168.50.83

access-list cryacl permit ip 192.168.0.0 255.255.255.0 host 192.168.50.86


And re-test.


c-drozd Sun, 10/26/2008 - 12:59
User Badges:

The vpn tunnel works fine from 192.168.0.0 to the remote site and able to access the two servers. The problem is the remote can not ping my server 192.168.0.9 What would I neet to do for the remote site able to ping.

c-drozd Mon, 10/27/2008 - 09:51
User Badges:

Note the first show cry isa sa is before accessing a web server on the remote side. The seconf show cry isa sa is after accessing the web server on the remote site.


meyerpix# show cry isa sa

Total : 0

Embryonic : 0

dst src state pending created


meyerpix# show cry isa sa

Total : 1

Embryonic : 0

dst src state pending created

66.179.80.108 216.159.229.146 QM_IDLE 0 1

meyerpix#

psureshrao Mon, 10/27/2008 - 04:04
User Badges:

Hi

During VPN connection Internal IP's are natted to 172.24.176.9. This is PAT and that is why there is no issue in accessing the remote servers.

But when remote people are trying to access your local IP's PIX is unable to find any suitable NAT entry for that.


So better make a Static NAT for 192.168.0.9.

and ask remote users to access the NATTED IP.


it will work.

It is NAT Problem.


Rate the needful posts.

c-drozd Tue, 10/28/2008 - 17:02
User Badges:

I am not quite sure is this what I need for the remote access my local server 192.168.0.9


access-list inbound permit ip xxx.xxx.229.147 192.168.0.9 eq 80


static (inside,outside) XXX.XXX.229.147 192.168.0.9 netmask 255.255.255.255 0 0


access-group inbound in interface outside

Actions

This Discussion