06-02-2010 11:20 AM - edited 03-11-2019 10:54 AM
Hi All,
With the reference to the attached diagram.
We have ipsec site to site tunnel between 10.254.5.254 /23 and 10.192.0.0 /16 network.
I would like to add second network 192.168.1.0 /24 and 192.168.2.0 /24 respective end.
If any body can help how to configure this on site to site vpn would be appricated.
Thanks,
Samir
06-02-2010 12:20 PM
Hi Samir,
Using the same tunnel already established between the two PIXes, just add the local network on each side on the interesting traffic.
If you're doing NAT exemption, also include the networks in that list.
If you want the exact commands, please include the following output from both PIXes:
sh run access-l
sh run nat
Federico.
06-03-2010 07:50 AM
Hi Federico,
Thanks for your reply.
But my problem is one side of 515E PIX firewall is directly connected with layer 2 switch.
So, How can I add 192.168.x.x network on layer 2 switch and allowed on to the
site-site vpn tunnel.
Waiting for your kind reply.
Samir
06-03-2010 08:03 AM
The fact that the 192.168.1.x is connected via a layer 2 switch on the PIX-515 should not matter.
What you do is to aggregate the 192.168.1.x in the interesting traffic to the tunnel that goes to the PIX-525
So, let's say you have this crypto ACL for the tunnel...
access-list crypto permit ip 10.254.5.0 255.255.254.0 10.192.0.0 255.255.0.0
Then you add the following line to the PIX-515:
access-list crypto permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
To allow 192.168.1.x to communicate with 192.168.2.x through the tunnel.
On the PIX-525 you should add the inverse ACL:
access-list crypto permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
Besides this...
You need to take into consideration the NAT configuration and the routing to make this work.
Federico.
06-03-2010 09:19 AM
06-03-2010 09:37 AM
PIX-515E
Current crypto ACL on PIX-515E
access-list outside_cryptomap_20 permit ip object-group subnet-Keyano object-group SCL_WAN_VPN
object-group network subnet-Keyano
network-object 10.254.4.0 255.255.254.0
network-object 192.168.1.0 255.255.255.0
object-group network SCL_WAN_VPN
network-object 10.0.0.0 255.0.0.0
network-object 192.168.1.0 255.255.255.0
Current bypass ACL in PIX-515E is the same as above:
access-list inside_outbound_nat0_acl permit ip object-group subnet-Keyano object-group SCL_WAN_VPN log
#####################################################################################
PIX-525
Current crypto ACL on PIX-525
access-list TELUS_cryptomap_20 permit ip object-group SCL_WAN_VPN object-group subnet-Keyano
object-group network SCL_WAN_VPN
network-object 10.0.0.0 255.0.0.0
network-object 192.168.2.0 255.255.255.0
object-group network subnet-Keyano
network-object 10.254.4.0 255.255.254.0
network-object 192.168.1.0 255.255.255.0
Current bypass ACL in PIX-525
access-list inside-nat permit ip any any log
access-list inside-nat permit ip object-group SCL_WAN_VPN object-group subnet-Keyano
###################################################################################
I'll do the following modifications:
1. On both sides modify the crypto ACL to not include the entire 10.0.0.0/8 but instead only the 10.192.0.0/16 to avoid overlapping
issues with the 10.254.4.0/24 on the other side.
2. Remove the inside-nat permit ip any any on the PIX-525
Let me know.
Federico.
06-03-2010 12:49 PM
Hi Federico,
It does not work.
Any more idea how can i do this.
Also I can not ping my 10.192.x.x network from 192.168.1.x network.
Waiting for your kind reply.
Thanks,
Samir
06-03-2010 01:20 PM
On the PIX-525, this statement is wrong:
route inside 0.0.0.0 0.0.0.0 10.97.100.1 1
The default gateway should be to the outside.
Also make sure that PIX can reach the internal networks 10.192.0.0/16 and 192.168.2.0/24 since are not directly connected to the PIX.
On the PIX-515 include this:
nat (EMIT-TEST) 0 access-list inside_outbound_nat0_acl
Federico.
06-03-2010 02:32 PM
Hi Federico,
As per your previous comments, I did changed configuration. and my existing tunnel get down.
How can I restore that one ?
Thanks in advance.
Regards,
Samir Rana
06-03-2010 04:00 PM
What changes you made?
Remove this route?
route inside 0.0.0.0 0.0.0.0 10.97.100.1 1
Put it back in.
What else?
Federico.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide