site to site vpn tunnel allowing remote site access to server

c-drozd · ‎10-25-2008

Remote pix need to access my local server 192.168.0.9 I am not quite sure how to configure. Below is the e-mail received from the remote tech. Also my pix config is attached.

I'm attempting to ping your NAT'd IP address and this is unreachable on our end. Please be sure that your security device allows traffic initiated from remote.

andrew.prince · ‎10-26-2008

I am confused from your config:-

access-list cryacl permit ip host 172.24.176.9 host 192.168.50.83

access-list cryacl permit ip host 172.24.176.9 host 192.168.50.86

global (outside) 1 172.24.176.9

The above stats the source network of 172.24.176.9 to 192.168.50.83 & 86 can inititate the VPN from the PIX - BUT ip address inside 192.168.0.254 255.255.255.0

You do not have a local 172.24.176.0/24 - this is a global NAT from the inside to the outside. You cannot do this.

access-list policynat permit ip 192.168.0.0 255.255.255.0 host 192.168.50.83

access-list policynat permit ip 192.168.0.0 255.255.255.0 host 192.168.50.86

nat (inside) 1 access-list policynat 0 0

This config states to not nat traffic from 192.168.0.0 to 192.168.50.83 & 192.168.50.86 - this will work for the VPN. But the VPN cannot establish because the first config is wrong.

Change:-

access-list cryacl permit ip host 172.24.176.9 host 192.168.50.83

access-list cryacl permit ip host 172.24.176.9 host 192.168.50.86

to

access-list cryacl permit ip 192.168.0.0 255.255.255.0 host 192.168.50.83

access-list cryacl permit ip 192.168.0.0 255.255.255.0 host 192.168.50.86

And re-test.

c-drozd · ‎10-26-2008

The vpn tunnel works fine from 192.168.0.0 to the remote site and able to access the two servers. The problem is the remote can not ping my server 192.168.0.9 What would I neet to do for the remote site able to ping.

andrew.prince · ‎10-27-2008

post the output of

"show crypto ipsec sa"

c-drozd · ‎10-27-2008

Note the first show cry isa sa is before accessing a web server on the remote side. The seconf show cry isa sa is after accessing the web server on the remote site.

meyerpix# show cry isa sa

Total : 0

Embryonic : 0

dst src state pending created

meyerpix# show cry isa sa

Total : 1

Embryonic : 0

dst src state pending created

66.179.80.108 216.159.229.146 QM_IDLE 0 1

meyerpix#

CiscogeekIND · ‎10-27-2008

Hi

During VPN connection Internal IP's are natted to 172.24.176.9. This is PAT and that is why there is no issue in accessing the remote servers.

But when remote people are trying to access your local IP's PIX is unable to find any suitable NAT entry for that.

So better make a Static NAT for 192.168.0.9.

and ask remote users to access the NATTED IP.

it will work.

It is NAT Problem.

Rate the needful posts.

c-drozd · ‎10-28-2008

I am not quite sure is this what I need for the remote access my local server 192.168.0.9

access-list inbound permit ip xxx.xxx.229.147 192.168.0.9 eq 80

static (inside,outside) XXX.XXX.229.147 192.168.0.9 netmask 255.255.255.255 0 0

access-group inbound in interface outside