Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

VPN on PIX

Hi, We have configured Pix firewall on two sites and both are connected by Tunnel and everything is working fine and as well as we have configured remote vpn on both firewall and we have set the DHCP range of remote Vpn which is different of the inside network and configured exempt traffic between Vpn and Inside network in both firewall. But now I want that the Vpn client nodes access the other fireall inside network as well. Details are given below:-

1) First Firewall (India) Conf:-

Inside 192.168.12.0/24

Outside *.*.*.*

VPN DHCP Range 192.168.253.0\24

2)Second Firewall conf:-

Inside 192.168.10.0/254

Outside :- ****

VPN DHCP Range 192.168.252.0/24

Now what configuration should I made so that the vpn client of ist firewall could able to access the other Firewall network. And is it possible on Pix 500 series or ASA Series. Thanks

1 ACCEPTED SOLUTION

Accepted Solutions

Re: VPN on PIX

India

access-list outside_nat0_outbound permit ip 192.168.13.0 255.255.255.0 192.168.50.0 255.255.255.0

access-list outside_nat0_outbound permit ip 192.168.13.0 255.255.255.0 192.168.51.0 255.255.255.0

nat (outside) 0 access-list outside_nat0_outbound outside

access-list outside_cryptomap_2 extended permit ip 192.168.13.0 255.255.255.0 192.168.50.0 255.255.255.0

access-list outside_cryptomap_2 extended permit ip 192.168.13.0 255.255.255.0 192.168.51.0 255.255.255.0

clear xlate

Rwanda

access-list outside_cryptomap_1 extended permit ip 192.168.51.0 255.255.255.0 192.168.13.0 255.255.255.0

access-list outside_cryptomap_1 extended permit ip 192.168.50.0 255.255.255.0 192.168.13.0 255.255.255.0

Do the above in their respective order

17 REPLIES
Community Member

Re: VPN on PIX

can anyone reply??

Silver

Re: VPN on PIX

Definitely possible. It's called hairpin.

you can do it with Pix or ASA in version

7.x or higher.

CCIE Security

Re: VPN on PIX

firstly make sure the tunnel is active between both firewalls and make sure both firewalls can ping each other inside interface.

since your ipsec tunnel already exit between your PIX you only need to define the traffic you are interested in on your ipsec tunnel between your pix.

for example, to allow the first firewall vpn clients (192.168.253.0/24) to access firewall 2 inside interface (192.168.10.0/24), you will need to Defines interesting traffic that is protected by the IPSec tunnel

on firewall 2:

1, Defines interesting traffic that is protected by the IPSec tunnel.

access-list 101 (use current acl applied to your currect ipsec policy) permit ip 192.168.10.0 255.255.255.0 192.168.253.0 255.255.255.0

2, Do not perform NAT for traffic to other PIX Firewall.

access-list inside_nat0_outbound permit ip 192.168.10.0 255.255.255.0 192.168.253.0 255.255.255.0

3, Tell the PIX not to NAT any traffic deemed interesting for IPSec.

nat (inside) 0 access-list 101

Might be a good idea to upload your pix vpn config so i can be more helpful.

Franco.

Re: VPN on PIX

i suggest you use the PIX PDM to make changes instead if you are not familiar with the CLI.

Community Member

Re: VPN on PIX

Hi, I went with the same above example but not able to access the Firewall 2 inside network as I am connecting to Firewall 1 by remote VPN. Now anyone give me the solution.

Is it required any access-list crypto setting?

The site to site tunnel is set with esp-des-md5 but when i connect to VPN and see the status then it shows the encryption 128 AES and authentication Hmac-sha1Thanks

Community Member

Re: VPN on PIX

Hi, can anyone responds please... I have to resolve this issue on priority basis. Thanks

Re: VPN on PIX

Hi Ray,

1) A very important detail, what you want to do is allowing traffic which enters outside interface to exit the same interface. (VPN client at outside interface enters interface and exits to VPN tunnel that is again connected to outside) This is called hairpinning or U-Turn. And the command which enables this is NOT! same-security-traffic permit inter-interface. It is intra-interface

2)Exempt NAT statement should not be applied to inside interface. This traffic never enters inside.

India

access-list outside_nat0_outbound permit ip 192.168.253.0 255.255.255.0 192.168.10.0 255.255.255.0

nat (outside) 0 access-list outside_nat0_outbound outside

access-list Interestingtrafficacl permit ip 192.168.253.0 255.255.255.0 192.168.10.0

same-security-traffic permit intra-interface

clear xlate

Second Firewall

access-list outside_nat0_outbound permit ip 192.168.252.0 255.255.255.0 192.168.12.0 255.255.255.0

nat (outside) 0 access-list outside_nat0_outbound outside

access-list Interestingtrafficacl permit ip 192.168.252.0 255.255.255.0 192.168.12.0

same-security-traffic permit intra-interface

clear xlate

If you post sanitized config of sites, I will do on-config corrections

Regards

Community Member

Re: VPN on PIX

I didn't able to understand following command:-

same-security-traffic permit intra-interface

Thanks

Community Member

Re: VPN on PIX

Hi, both FW configuration are attached and here I would like to provide the access of VPN only on India FW and want to access other DMZ and Inside network of Rwanda FW. Please suggest which of the command has to be add and which of the commands has to be remove. Thanks.

Community Member

Re: VPN on PIX

Please respond asap.

Re: VPN on PIX

As I explained, it will make you able to connect your VPN client which is terminated at outside interface of firewall1 over the tunnel to the remote VPN peer firewall2 which is also terminated at outside interface. Simply follow the commands I posted

Re: VPN on PIX

India

access-list outside_nat0_outbound permit ip 192.168.13.0 255.255.255.0 192.168.50.0 255.255.255.0

access-list outside_nat0_outbound permit ip 192.168.13.0 255.255.255.0 192.168.51.0 255.255.255.0

nat (outside) 0 access-list outside_nat0_outbound outside

access-list outside_cryptomap_2 extended permit ip 192.168.13.0 255.255.255.0 192.168.50.0 255.255.255.0

access-list outside_cryptomap_2 extended permit ip 192.168.13.0 255.255.255.0 192.168.51.0 255.255.255.0

clear xlate

Rwanda

access-list outside_cryptomap_1 extended permit ip 192.168.51.0 255.255.255.0 192.168.13.0 255.255.255.0

access-list outside_cryptomap_1 extended permit ip 192.168.50.0 255.255.255.0 192.168.13.0 255.255.255.0

Do the above in their respective order

Community Member

Re: VPN on PIX

Thanks everyone... The problem has been solved. I appreciate...

Re: VPN on PIX

You are welcome :)

Community Member

Re: VPN on PIX

Hey, how can i start the ping from Vpn to firewall rwanda network. Thanks

Community Member

Re: VPN on PIX

After connecting VPN, when I try to ping the Rwanda Network then the ICMP request is getting blocked as I review in ASDM login details. Anyone suggest what should I do to open ICMP request. Thanks..

Re: VPN on PIX

Ray,

In both india and Rwanda, add the following

policy-map global_policy

class inspection_default

inspect icmp

177
Views
0
Helpful
17
Replies
CreatePlease to create content