08-29-2007 10:51 AM - edited 03-09-2019 06:42 PM
I'm sure that this has been asked, but I cannot find it. I have my users connecting to my office (Site A in the diagram) using the Cisco VPN client. I also have my office connected to another (site B) via an IPSec tunnel. All of this works fine.
What I want to do is to get the VPN clients to go through my site to site B, through the tunnel.
Traffic through the tunnel is being PATed to the 69.x.x.x address on the outside of my PIX. I am attaching a diagram.
Thanks in advance for any help,
Paul
Solved! Go to Solution.
08-29-2007 11:41 AM
access-list SITEBTCRYPTO extended permit ip 192.168.21.0 255.255.255.0 32.yy.yy.yy 255.255.255.255
same-security-traffic permit intra-interface
Remote site would also need to add the interesting traffic and nat exemption to 192.168.21.0. I suppose since you have no control over the far end that you need to somehow make 192.168.21.0 appear as 66.x.x.x. This would eliminate you needing to change anything on the far end.
Maybe like this...
nat (outside) 1 192.168.21.0 255.255.255.0 outside
08-29-2007 11:03 AM
Paul,
Configuration??
Okie.. are you using Routing protocol?? If yes add that subnet in advertisement. It will be access site B also.
Static route mean it seems stub network, use default route.
Put static route for network 32.X.X.X.
Regards,
Dharmesh Purohit
08-29-2007 11:06 AM
You should only have to allow hairpinning with same-security-traffic permit intra-interface and also add the vpn client subnet 192.168.21.0/24 to your interesting traffic acl's on site a and site b pixes. This is assuming you have version 7.
How about posting a clean config?
08-29-2007 11:34 AM
Thanks, guys. Here is a config that I scrubbed.
I have 7.2(2) on my PIX. Site B is a client of ours so we have no control over it.
Paul
08-29-2007 11:40 AM
08-29-2007 11:41 AM
access-list SITEBTCRYPTO extended permit ip 192.168.21.0 255.255.255.0 32.yy.yy.yy 255.255.255.255
same-security-traffic permit intra-interface
Remote site would also need to add the interesting traffic and nat exemption to 192.168.21.0. I suppose since you have no control over the far end that you need to somehow make 192.168.21.0 appear as 66.x.x.x. This would eliminate you needing to change anything on the far end.
Maybe like this...
nat (outside) 1 192.168.21.0 255.255.255.0 outside
08-29-2007 11:45 AM
I guess there-in lies my question. Is there any way to get the 192.168.21.x address space PATed on the outside interface just like my internal network? Or maybe use policy NAT?
08-29-2007 11:46 AM
I added to the end of my last post...just make sure you have the same-security-traffic command as well.
Oh, and don't forget to add the remote lan to the split tunnel acl.
access-list splitTunnelAcl standard permit 32.y.y.y 255.255.255.0
08-29-2007 11:56 AM
Worked like a charm!
Thanks much,
Paul
08-29-2007 11:58 AM
Sweet, glad it worked. I'll have to try that myself sometime. Thanks for the rating.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: