Solved: L2L VPN and remote access VPN

valsidalv · ‎01-27-2009

Hi,

I have 2 Cisco Pix(Pix1, Pix2) 515E(8.0.4). Between these devices exist L2L VPN, which are configured on outside interfaces. On Pix2 I configured remote access VPN on outside interace, too.

Is it possible to reach LAN behind Pix1, by using remote access VPN on Pix2 and then L2L VPN?

I don't want to configure remote access on Pix1.

Many thanks.

Regards,

Vladislav

JORGE RODRIGUEZ · ‎01-29-2009

nat (oustide) 1 140.40.30.0 255.255.255.0 ( PAT for RA vpn for internet access if u r doing full tunnel)

This is simply because I configured RA tunnel as full tunnel instead of split,nat (oustide ) 1 allows RA pool 140.40.30.0 have internet access through your ASA_SITE_B firewall and be translated with global ID 1 which is your outside interface of SA_SITE_B firewall. This has nothing to do with what you are trying to accomplish but I posted it since it was part of very common scenario. there are some instances for example in PIX 6.3 where you will need split tunnel so that the RA users can have internet access not going through the encrypted tunnel, code 6.0 does not support intra-interface feature but code 7.x above does. Other examples are some folks configure split RA tunnel for RA user be able to access their local resources in their homes like network printers etc..

It is therefore, I need to translate RA pool to 172.27.1.0/24?

no there is no address translation in place in this working scenario and you do not need to translate anything as long there is no overlapping networks in any of the SITES u do not need to translate, this scenario is completely nonat exempt as you are doing nat exempt access lists in both firewalls for the Networks involved in communicating through ASA_SITE_B tunnels.

Because, I want to see on PIX_SITE_A only IP addresses from 172.27.1.0/24, not 140.40.30.0/24. Is it possible to do it this way?

Im not clear on this question but if I think what it means it is possible but you will need to do Policy NATing but I think this will make configuration complicated , I would suggest to make this as simple as you can.

Regards

PLS rate any helpful posts if it helped

Jorge Rodriguez

View solution in original post

JORGE RODRIGUEZ · ‎01-28-2009

Vladislav,

Yes it is possible, it is all about tayloring the nonat access list and add RA Network IP scheme in your L2L acls at both sites for interesting traffic.

This link depicts a similar example which can be applied in your scenario.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00804675ac.shtml

Regards

Jorge Rodriguez

Richard Burts · ‎01-28-2009

Vladislav

One important thing to remember about getting this to work is that if you use remote access to get to pix2 and then want it to forward your traffic to pix1 then you will need to enable same security level intra interface traffic.

HTH

Rick

HTH

Rick

JORGE RODRIGUEZ · ‎01-28-2009

Rick is correct as well in same sec intra interface in pix2 if RA is comming throght pix2,literally pix2 will be treated as the hub , pix1 and RA sort of as the spokes.

I had to lab this one out.

this is a fully working scenario, PIX_site_A and PIX_Site_B there is L2L tunnel, in ASA_Site_B RA comes in.

PIX_SITE_A (PIX506 6.3.5)

Inside Subnet 172.16.1.0/24

ASA_SITE_B (ASA5505 8.0.4)

Inside subnet 172.27.1.0/24

RA VPN Pool network 140.40.30.0/24

L2L Ipsec from PIX_SITE_A towards ASA_SITE_B

PIX_SITE_A

name 140.40.40.0 RA_NETWORK_ciscolab

pdm location 140.40.40.0 255.255.255.0 outside

access-list inside_outbound_nat0_acl permit ip 172.16.1.0 255.255.255.0 140.40.30.0 255.255.255.0

access-list inside_outbound_nat0_acl permit ip 172.16.1.0 255.255.255.0 172.27.1.0 255.255.255.0

access-list outside_cryptomap_20 permit ip 172.16.1.0 255.255.255.0 140.40.30.0 255.255.255.0

access-list outside_cryptomap_20 permit ip 172.16.1.0 255.255.255.0 172.27.1.0 255.255.255.0

nat (inside) 0 access-list inside_outbound_nat0_acl

ASA_SITE_B

access-list inside_nat0_outbound extended permit ip 140.40.30.0 255.255.255.0 172.16.1.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 172.27.1.0 255.255.255.0 172.16.1.0 255.255.255.0

access-list outside_cryptomap extended permit ip 140.40.30.0 255.255.255.0 172.16.1.0 255.255.255.0

access-list outside_cryptomap extended permit ip 172.27.1.0 255.255.255.0 172.16.1.0 255.255.255.0

RA will access PIX_SITE_A through ASA_SITE_B oustide interface L2L Ipsec tunnel you will need nat exempt acl on outside interface

would look similar to :

nat (oustide) 1 140.40.30.0 255.255.255.0 ( PAT for RA vpn for internet acces if u r doing full tunnel)

same-security-traffic permit intra-interface

I had to add nat outside 0 as I was getting portmap translation fail from PIX_SITE_A 172.16.1.x host to RA host 140.40.30.x in ASA_SITE_B

nat (outside) 0 access-list inside_nat0_outbound

As long your L2L tunnel is UP at all times RA Network 140.40.30.0/24 from ASA_SITE_B will be able to access resources on

PIX_SITE_A and vice versa

Regards

Jorge Rodriguez

valsidalv · ‎01-29-2009

Thanks, it looks good.

I have some subquestion.

1. Could you please explain me this statement?

nat (oustide) 1 140.40.30.0 255.255.255.0 ( PAT for RA vpn for internet access if u r doing full tunnel)

It is therefore, I need to translate RA pool to 172.27.1.0/24?

Because, I want to see on PIX_SITE_A only IP addresses from 172.27.1.0/24, not 140.40.30.0/24.

Is it possible to do it this way?

Vladislav

JORGE RODRIGUEZ · ‎01-29-2009

nat (oustide) 1 140.40.30.0 255.255.255.0 ( PAT for RA vpn for internet access if u r doing full tunnel)

This is simply because I configured RA tunnel as full tunnel instead of split,nat (oustide ) 1 allows RA pool 140.40.30.0 have internet access through your ASA_SITE_B firewall and be translated with global ID 1 which is your outside interface of SA_SITE_B firewall. This has nothing to do with what you are trying to accomplish but I posted it since it was part of very common scenario. there are some instances for example in PIX 6.3 where you will need split tunnel so that the RA users can have internet access not going through the encrypted tunnel, code 6.0 does not support intra-interface feature but code 7.x above does. Other examples are some folks configure split RA tunnel for RA user be able to access their local resources in their homes like network printers etc..

It is therefore, I need to translate RA pool to 172.27.1.0/24?

no there is no address translation in place in this working scenario and you do not need to translate anything as long there is no overlapping networks in any of the SITES u do not need to translate, this scenario is completely nonat exempt as you are doing nat exempt access lists in both firewalls for the Networks involved in communicating through ASA_SITE_B tunnels.

Because, I want to see on PIX_SITE_A only IP addresses from 172.27.1.0/24, not 140.40.30.0/24. Is it possible to do it this way?

Im not clear on this question but if I think what it means it is possible but you will need to do Policy NATing but I think this will make configuration complicated , I would suggest to make this as simple as you can.

Regards

PLS rate any helpful posts if it helped

Jorge Rodriguez