I'm administering a small business network across two offices. Both offices have a PIX501 firewall. Right now we have a working PIX to PIX VPN tunnel between offices and everything is working great. But I am trying to get remove VPN access working for people outside the office with laptops and Cisco VPN Client software. My problem is with NAT 0. I have an access group for the PIX to PIX VPN and an access group for the VPN Client. I can get either VPN to work depending on which access list the NAT 0 statement has, but I can't get both groups to work at the same time. If I put one of the remote clients into the PIX to PIX access group, the remote client connects, but there is no network access. Can someone look at my config and help me??
I've tried this with only one access list. .... see the last couple of sentences in my first post. But I did it again just to make sure. Please see attached config.
And I still have same problem. PIX-to-PIX VPN from other office works fine. But remote VPN from Cisco Client has problems. The VPN tunnel does connect. But the remote PC is not getting connected to the local network. I think there is some kind of routing problem here. But the remote client connected just fine to my server when it had its own access list and the nat 0 set to it, which also, of course, killed the PIX-to-PIX vpn.
It would seem more scalable and cleaner, in my opinion, to add a no_nat acl with 192.168.2.0/24 and 192.168.4.0/24 and put that in your nat 0 config. Then change your VPN client pool back to 192.168.4.0/24.
OK ... this makes total sense to me. What doesn't make sense is a no_nat acl with two destination addresses. I can't decode anything like this out of my 6.3 cmd ref. Can you show me what such an access-list command statement would look like??
access-list nonat permit ip Main 192.168.2.0 255.255.255.0
access-list nonat permit ip Main 192.168.4.0 255.255.255.0
nat (inside) 0 access-list nonat
It should look something like:
access-list acl_no_nat permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list acl_no_nat permit ip 192.688.1.0 255.255.255.0 192.168.4.0 255.255.255.0
nat (inside) 0 access-list acl_no_nat
the no NAT access-list can have many destination subnets or IPs in it. All it does is tell the PIX not to NAT traffic going from 192.168.1.0/24 to West or to VPN clients. For example, if you add another site to site VPN you will need to add another line in the acl_no_nat access-list:
access-list acl_no_nat permit ip 192.168.1.0 255.255.255.0
Thanks Adam ... it is simple. It just wasn't clear to me that multiple statements could be assigned to the same acl. And its right there in the manual ... second sentence in the Access List Usage. Need to knock down some glass walls in my head and read a little closer.
Adam .... I have another access-list question. I want to do something simple: open a port for the remote VPN users. But, to me the access-list doc for this operation in the cmd ref is really cryptic. How would I open port 12345? Do I have to define an object group to do this??
I would recommend changing your vpnwest ip pool to the RmtVPN subnet (192.168.4.0) and then adding an access-list for just no-nat. For example:
remove: access-list vpn_west permit ip ESIMain 255.255.255.0 RmtVPN 255.255.255.0
add: access-list no-nat permit ip ESIMain 255.255.255.0 ESIWest 255.255.255.0
add: access-list no-nat permit ip ESIMain 255.255.255.0 RmtVPN 255.255.255.0
remove: nat (inside) 0 access-list vpn_west
add: nat (inside) 0 access-list no-nat
remove: ip local pool vpnwest 192.168.2.100-192.168.2.110
add: ip local pool rmtvpn 192.168.4.100-192.168.4.110
remove: vpngroup vpnwest address-pool vpnwest
add: vpngroup vpnwest address-pool rmtvpn
remove: vpngroup makvpn address-pool vpnwest
add: vpngroup makvpn address-pool rmtvpn
A lot of this is cosmetics but it will help when troubleshooting. You shouldn't need an access-list on your outside interface to allow remote vpn access to it. Once the client is connected I believe they will have full access to your 192.168.1.0/24 network in this configuration. Are you wanting to restrict this access?
As long as you have "sysopt connection permit-ipsec" there is no need to define an access-list to allow traffic from the vpn client as all traffic will be allowed.
Before I discovered the use of multiple access-list commands for one access access group, I had tried the setup you described. It didn't work. The VPN from the west office is different: its a PIX to PIX VPN tunnel that I found docs for on Cisco's site. I believe it works differently from the connections from the VPN Client software that's out on remote laptops. The west office is on 192.168.2.0 and it appears if I remove that network from the config, the VPN from there will not connect. I've attached both the doc I got this from and the config from the west office router. Using the configs in this doc was the only way I could get the PIX-to-PIX VPN to work .... all the other VPN docs were wrong.
It looks as though, based off the provided config, that you are NAT'ing traffic that is supposed to go over the VPN tunnel. You are going to want to have a no-nat access-list on the WestPIX also:
access-list no-nat permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
nat (inside) 0 access-list no-nat
Also, you will want to enable sysopt connection permit-ipsec for the tunnel to come up with your current configuration.
sysopt connection permit-ipsec
You will also need to enable your crypto and isakmp commands again. Issue the same commands that are in your WestPIX config with the no crypto... and no isakmp... without the "no" in front. The following command will need to change also:
crypto map outside_map 20 match address inside_outbound_nat0_acl
crypto map outside_map 20 match address no-nat
This is due to the access-list inside_outbound_nat0_acl not existing.
I hope this helps.