Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
216
Views
0
Helpful
1
Replies

Can I cross two VPNs on two interfaces?

Go to solution
mikeb
Level 1
Level 1

‎11-08-2005 12:45 PM - edited ‎03-09-2019 12:58 PM

Please see the attached pdf diagram.

I can successfully pass traffic from 192.168.60.0 to the DMZ and Inside networks.

I can successfully pass traffic from 192.168.20.0 to the DMZ and Inside networks.

Problem – I cannot pass traffic from either network across both VPNs. For example, I cannot go from 192.168.60.0 to 192.168.20.0, or vice versa.

Any ideas as to why this won't work?

Thanks in advance.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
jackko
Level 7
Level 7

‎11-08-2005 03:57 PM

just wondering if both router 1751 and pix 501 have no-nat and crypto acl include each other subnet. also, on the pix 515, both subnets need to be included for both lan-lan vpn.

e.g.

on router 1751,

access-list no_nat 192.168.20.0 0.0.0.255 172.24.0.0 0.0.0.255

access-list no_nat 192.168.20.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list no_nat 192.168.20.0 0.0.0.255 192.168.60.0 0.0.0.255

access-list lan2lan 192.168.20.0 0.0.0.255 172.24.0.0 0.0.0.255

access-list lan2lan 192.168.20.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list lan2lan 192.168.20.0 0.0.0.255 192.168.60.0 0.0.0.255

on pix 501,

access-list no_nat 192.168.60.0 255.255.255.0 172.24.0.0 255.255.255.0

access-list no_nat 192.168.60.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list no_nat 192.168.60.0 255.255.255.0 192.168.20.0 255.255.255.0

access-list lan2lan 192.168.60.0 255.255.255.0 172.24.0.0 255.255.255.0

access-list lan2lan 192.168.60.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list lan2lan 192.168.60.0 255.255.255.0 192.168.20.0 255.255.255.0

for pix 515,

access-list vpn1_1751 permit 172.24.0.0 255.255.255.0 192.168.20.0 255.255.255.0

access-list vpn1_1751 permit 192.168.1.0 255.255.255.0 192.168.20.0 255.255.255.0

access-list vpn1_1751 permit 192.168.60.0 255.255.255.0 192.168.20.0 255.255.255.0

access-list vpn2_501 permit 172.24.0.0 255.255.255.0 192.168.60.0 255.255.255.0

access-list vpn2_501 permit 192.168.1.0 255.255.255.0 192.168.60.0 255.255.255.0

access-list vpn2_501 permit 192.168.20.0 255.255.255.0 192.168.60.0 255.255.255.0

the only bit i am not sure is the no-nat on pix 515. i guess we should give it a go first, then figure the no-nat out by troubleshooting.

View solution in original post

0 Helpful
1 Reply 1

Go to solution
jackko
Level 7
Level 7

‎11-08-2005 03:57 PM

just wondering if both router 1751 and pix 501 have no-nat and crypto acl include each other subnet. also, on the pix 515, both subnets need to be included for both lan-lan vpn.

e.g.

on router 1751,

access-list no_nat 192.168.20.0 0.0.0.255 172.24.0.0 0.0.0.255

access-list no_nat 192.168.20.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list no_nat 192.168.20.0 0.0.0.255 192.168.60.0 0.0.0.255

access-list lan2lan 192.168.20.0 0.0.0.255 172.24.0.0 0.0.0.255

access-list lan2lan 192.168.20.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list lan2lan 192.168.20.0 0.0.0.255 192.168.60.0 0.0.0.255

on pix 501,

access-list no_nat 192.168.60.0 255.255.255.0 172.24.0.0 255.255.255.0

access-list no_nat 192.168.60.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list no_nat 192.168.60.0 255.255.255.0 192.168.20.0 255.255.255.0

access-list lan2lan 192.168.60.0 255.255.255.0 172.24.0.0 255.255.255.0

access-list lan2lan 192.168.60.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list lan2lan 192.168.60.0 255.255.255.0 192.168.20.0 255.255.255.0

for pix 515,

access-list vpn1_1751 permit 172.24.0.0 255.255.255.0 192.168.20.0 255.255.255.0

access-list vpn1_1751 permit 192.168.1.0 255.255.255.0 192.168.20.0 255.255.255.0

access-list vpn1_1751 permit 192.168.60.0 255.255.255.0 192.168.20.0 255.255.255.0

access-list vpn2_501 permit 172.24.0.0 255.255.255.0 192.168.60.0 255.255.255.0

access-list vpn2_501 permit 192.168.1.0 255.255.255.0 192.168.60.0 255.255.255.0

access-list vpn2_501 permit 192.168.20.0 255.255.255.0 192.168.60.0 255.255.255.0

the only bit i am not sure is the no-nat on pix 515. i guess we should give it a go first, then figure the no-nat out by troubleshooting.

0 Helpful
Customers Also Viewed These Support Documents