PIX site-to-site VPN questions

Unanswered Question
Jun 5th, 2009
User Badges:

Hey everyone,


We have a PIX running 7.2(1). I'm relatively new at configuring firewalls, so I'm having some issues figuring out exactly how to get it to do what I want.


Basically, we have a site-to-site vpn with a client, and we have a management pc use it to check several systems on their network. This management pc is placed on our DMZ. I have it configured to use the site-to-site vpn when it needs to access the 10.1.1.* addresses (as you can see below). Whenever it needs to access the external Internet, it is configured to not use the site-to-site. This is because they have restrictions in place on their end.


However, I can't for the life of me figure out how to allow the servers on the remote network to connect back to the management pc. The IP address of our network on their side is always 10.200.1.200, which I set using the global below. I thought I would need to set a static rule to allow it, but whenever I do this the management pc on our side can't connect to the external Internet anymore. I'm assuming this is because when I set the static it wants to send the Internet traffic across the site-to-site and it's getting denied on the other side.


So any help would be much appreciated! Below is the config file. Thanks in advance!


interface Ethernet0

nameif outside

security-level 0

ip address 11.22.33.44 255.255.255.252

!

interface Ethernet1

nameif inside

security-level 100

ip address 192.168.1.3 255.255.255.0

!

interface Ethernet2

nameif dmz

security-level 50

ip address 172.16.1.1 255.255.255.0

!

...

access-list inside_access_in extended permit ip any any

access-list inside_access_in extended permit icmp any any

access-list outside_cryptomap_1 extended permit ip any 192.168.2.0 255.255.255.0

access-list outside_access_out extended permit ip any any

access-list outside_access_out extended permit icmp any any

access-list dmz_nat_outbound extended permit ip 172.16.1.0 255.255.255.0 any

access-list inside_access_out extended permit ip any any

access-list inside_access_out extended permit icmp any any

access-list VPN-to-client extended permit ip 10.200.1.0 255.255.255.0 host 10.1.1.36

access-list VPN-to-client extended permit ip 10.200.1.0 255.255.255.0 host 10.1.1.37

access-list VPN-to-client extended permit ip 10.200.1.0 255.255.255.0 host 10.1.1.41

access-list VPN-to-client extended permit ip 10.200.1.0 255.255.255.0 host 10.1.1.42

access-list VPN-to-client extended permit ip 10.200.1.0 255.255.255.0 host 10.1.1.43

access-list VPN-to-client extended permit ip 10.200.1.0 255.255.255.0 host 10.1.1.73

access-list VPN-to-client extended permit ip 10.200.1.0 255.255.255.0 host 10.1.1.78

access-list outside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list inside_nat0_outbound_1 extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list policynat extended permit ip 172.16.1.0 255.255.255.0 10.1.1.0 255.255.255.0

access-list dmz_access_in extended permit ip any any

access-list dmz_access_in extended permit icmp any any

access-list dmz_access_out extended permit icmp any any

access-list dmz_access_out extended permit ip any any

...

nat-control

global (outside) 2 10.200.1.200 netmask 255.255.255.255

global (outside) 1 interface

nat (outside) 0 access-list outside_nat0_outbound

nat (inside) 0 access-list inside_nat0_outbound_1

nat (inside) 1 192.168.1.0 255.255.255.0

nat (dmz) 2 access-list policynat

nat (dmz) 1 access-list dmz_nat_outbound

nat (dmz) 3 172.16.1.0 255.255.255.0

access-group outside_access_out out interface outside

access-group inside_access_in in interface inside

access-group inside_access_out out interface inside

access-group dmz_access_in in interface dmz

access-group dmz_access_out out interface dmz

...

crypto map outside_map 30 set peer 55.44.33.22

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

Actions

This Discussion