Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
502
Views
0
Helpful
3
Replies

No access to Internet from remote network over the IPSec tunnel

zheka_pefti
Level 2
Level 2

‎10-08-2009 09:41 AM - edited ‎02-21-2020 04:21 PM

Hi folks,

I wish someone poke a finger at where I made a mistake in configuring a pair of firewalls for site-to-site VPN.

The tunnel is on and traffic freely flows between two remote networks. The only thing is that one remote network (Site B) can't access Internet through the gateway device located at the other site. (Site A)

Here's the extract from the PIX at site B which doesn't have access to internet:

interface Ethernet0

nameif outside

security-level 0

ip address 10.10.20.2 255.255.255.252

!

interface Ethernet1

nameif inside

security-level 100

ip address 192.168.3.253 255.255.255.0

access-list NONAT extended permit ip any any

access-list VPN extended permit ip any any

nat (inside) 0 access-list NONAT

route outside 0.0.0.0 0.0.0.0 10.10.20.1 1

crypto ipsec transform-set SET1 esp-aes-192 esp-sha-hmac

crypto map MAP1 1 match address VPN

crypto map MAP1 1 set peer 10.10.20.1

crypto map MAP1 1 set transform-set SET1

crypto map MAP1 interface outside

isakmp enable outside

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption aes

isakmp policy 1 hash sha

isakmp policy 1 group 2

isakmp policy 1 lifetime 86400

isakmp nat-traversal 30

tunnel-group 10.10.20.1 type ipsec-l2l

tunnel-group 10.10.20.1 ipsec-attributes

pre-shared-key *

And this is the portion of the PIX config from the site A which is connected to Internet:

interface Ethernet0

nameif outside

security-level 0

ip address 10.10.20.1 255.255.255.252

!

interface Ethernet1

nameif inside

security-level 100

ip address 192.168.1.243 255.255.255.0

access-list NONAT extended permit ip any any

access-list VPN extended permit ip any any

route outside 192.168.3.0 255.255.255.0 10.10.20.2 1

route inside 0.0.0.0 0.0.0.0 192.168.1.251 1

nat (inside) 0 access-list NONAT

crypto ipsec transform-set SET1 esp-aes-192 esp-sha-hmac

crypto map MAP1 1 match address VPN

crypto map MAP1 1 set peer 10.10.20.2

crypto map MAP1 1 set transform-set SET1

crypto map MAP1 interface outside

crypto isakmp enable outside

crypto isakmp policy 1

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

crypto isakmp nat-traversal 30

tunnel-group 10.10.20.2 type ipsec-l2l

tunnel-group 10.10.20.2 ipsec-attributes

pre-shared-key *

As far as I understand the traffic destined to Internet enters the tunnel at site B via PIX and gets lost.

i.e. I can reach internet from the PIX at site A but can't reach internet from PIX at the site B while sourcing my pings from inside interface.

192.168.1.251 is the device connected to Internet at site A.

Help please!!!

Labels:
0 Helpful
3 Replies 3

auraza
Cisco Employee
Cisco Employee

‎10-08-2009 10:18 AM

If you're using 6.x code on the PIX, this won't work, as you can't come in the same interface and leave out the same interface. With 7.x or higher, you have the option of using same-security permit intra-interface with a "nat (outside) / global (outside)" pair

0 Helpful

acomiskey
Level 10
Level 10

‎10-08-2009 10:36 AM

You've defined your tunnel traffic as any any which means all traffic from B will go over tunnel to A, but also means all traffic from A will go over tunnel to B. It would work better like this...

Site B

access-list NONAT extended permit ip 192.168.3.0 255.255.255.0 any

access-list VPN extended permit ip 192.168.3.0 255.255.255.0 any

Site A

access-list NONAT extended permit ip any 192.168.3.0 255.255.255.0

access-list VPN extended permit ip any 192.168.3.0 255.255.255.0

same-security-traffic permit intra-interface

no route outside 192.168.3.0 255.255.255.0 10.10.20.2 1 (don't need that, it knows how to route to it by the vpn config)

global (outside) 1 interface

nat (outside) 1 192.168.3.0 255.255.255.0

Edit: Just noticed that your internet gateway is on the inside of Site A at 192.168.1.251? If so you can scratch the global/nat/same-security commands above.

Make sure that 192.168.1.251 has a route to 192.168.3.0 via 192.168.1.243.

0 Helpful

zheka_pefti
Level 2
Level 2
In response to acomiskey

‎10-08-2009 12:38 PM

Hey, man!

It was a good sanity check. I figured the problem. the internet gateway device didn't have the route to send the return traffic to site B.

I really appreciate your look at it.

Thanks, Eugene

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents