Need to help configure second network for site to site ipsec vpn

Unanswered Question
Jun 2nd, 2010

Hi All,

With the reference to the attached diagram.

We have ipsec site to site tunnel between 10.254.5.254 /23 and 10.192.0.0 /16 network.

I would like to add second network 192.168.1.0 /24 and 192.168.2.0 /24 respective end.

If any body can help how to configure this on site to site vpn would be appricated.

Thanks,

Samir

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Federico Coto F... Wed, 06/02/2010 - 12:20

Hi Samir,

Using the same tunnel already established between the two PIXes, just add the local network on each side on the interesting traffic.

If you're doing NAT exemption, also include the networks in that list.

If you want the exact commands, please include the following output from both PIXes:

sh run access-l   --> this is the name of the ACL in the crypto map

sh run nat

Federico.

rana.samir Thu, 06/03/2010 - 07:50

Hi Federico,

Thanks for your reply.

But my problem is one side of 515E PIX firewall is directly connected with layer 2 switch.

So, How can I add 192.168.x.x network on layer 2 switch and allowed on to the

site-site vpn tunnel.

Waiting for your kind reply.

Samir

Federico Coto F... Thu, 06/03/2010 - 08:03

The fact that the 192.168.1.x is connected via a layer 2 switch on the PIX-515 should not matter.
What you do is to aggregate the 192.168.1.x in the interesting traffic to the tunnel that goes to the PIX-525

So, let's say you have this crypto ACL for the tunnel...
access-list crypto permit ip 10.254.5.0 255.255.254.0 10.192.0.0 255.255.0.0

Then you add the following line to the PIX-515:
access-list crypto permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

To allow 192.168.1.x to communicate with 192.168.2.x through the tunnel.

On the PIX-525 you should add the inverse ACL:
access-list crypto permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

Besides this...
You need to take into consideration the NAT configuration and the routing to make this work.

Federico.

rana.samir Thu, 06/03/2010 - 09:19

Hi Federico,

Thank you very much for your early reply.

Here is the my configuration of the both sides for your information.

Waiting for your kind reply.

Attachment: 
Federico Coto F... Thu, 06/03/2010 - 09:37

PIX-515E

Current crypto ACL on PIX-515E
access-list outside_cryptomap_20 permit ip object-group subnet-Keyano object-group SCL_WAN_VPN

object-group network subnet-Keyano
  network-object 10.254.4.0 255.255.254.0
  network-object 192.168.1.0 255.255.255.0

object-group network SCL_WAN_VPN
  network-object 10.0.0.0 255.0.0.0
  network-object 192.168.1.0 255.255.255.0

Current bypass ACL in PIX-515E is the same as above:
access-list inside_outbound_nat0_acl permit ip object-group subnet-Keyano object-group SCL_WAN_VPN log

#####################################################################################

PIX-525

Current crypto ACL on PIX-525

access-list TELUS_cryptomap_20 permit ip object-group SCL_WAN_VPN object-group subnet-Keyano

object-group network SCL_WAN_VPN
  network-object 10.0.0.0 255.0.0.0
  network-object 192.168.2.0 255.255.255.0

object-group network subnet-Keyano
  network-object 10.254.4.0 255.255.254.0
  network-object 192.168.1.0 255.255.255.0

Current bypass ACL in PIX-525

access-list inside-nat permit ip any any log
access-list inside-nat permit ip object-group SCL_WAN_VPN object-group subnet-Keyano

###################################################################################

I'll do the following modifications:

1. On both sides modify the crypto ACL to not include the entire 10.0.0.0/8 but instead only the 10.192.0.0/16 to avoid overlapping
issues with the 10.254.4.0/24 on the other side.

2. Remove the inside-nat permit ip any any on the PIX-525

Let me know.

Federico.

rana.samir Thu, 06/03/2010 - 12:49

Hi Federico,

It does not work.

Any more idea how can i do this.

Also I can not ping my 10.192.x.x network from 192.168.1.x network.

Waiting for your kind reply.

Thanks,

Samir

Federico Coto F... Thu, 06/03/2010 - 13:20

On the PIX-525, this statement is wrong:
route inside 0.0.0.0 0.0.0.0 10.97.100.1 1

The default gateway should be to the outside.


Also make sure that PIX can reach the internal networks 10.192.0.0/16 and 192.168.2.0/24 since are not directly connected to the PIX.

On the PIX-515 include this:
nat (EMIT-TEST) 0 access-list inside_outbound_nat0_acl

Federico.

rana.samir Thu, 06/03/2010 - 14:32

Hi Federico,

As per your previous comments, I did changed configuration. and my existing tunnel get down.

How can I restore that one ?

Thanks in advance.

Regards,

Samir Rana

Federico Coto F... Thu, 06/03/2010 - 16:00

What changes you made?

Remove this route?

route inside 0.0.0.0 0.0.0.0 10.97.100.1 1

Put it back in.

What else?

Federico.

Actions

This Discussion