Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Remote Access VPN - Access a partner network - how?

We have a PIX setup that has developed and we have the following query:

PIX firewall with multiple interfaces (we will assume 3 for this query), inside, outside, and partner

The people that run partner network have assigned us 1 address for use on their network and as such all traffic from the inside to the partner network is PAT'ed through this one address. We have also configured a Remote Access VPN with the Cisco Unified client that is terminated on the outside interface. The VPN client users can access resources on the inside network. They cannot however access anything on the partner network.

193.22.18.0/28 (outside)

:

:

:

PIX------ 10.1.255.253/16 (partner) link to partner network

:

:

:

172.16.0.0/16 (inside network)

Relevant config:

PIX Version 6.2(1)

access-list ipsec permit ip 172.16.0.0 255.255.0.0 10.250.0.0 255.255.0.0

access-list ipsec permit ip 193.162.207.0 255.255.255.0 10.250.0.0 255.255.0.0 (tried with and without this line)

ip local pool vpn 10.250.0.1-10.250.0.254

global (partner) 1 193.162.253.37 netmask 255.255.255.255

nat (inside) 0 access-list ipsec

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

route outside 0.0.0.0 0.0.0.0 193.129.253.34 1

route partner 193.162.207.0 255.255.255.0 10.1.255.254 1

sysopt connection permit-ipsec

sysopt connection permit-l2tp

no sysopt route dnat

crypto ipsec transform-set strong esp-3des esp-sha-hmac

crypto dynamic-map mobile 5 set transform-set strong

crypto map mobile 20 ipsec-isakmp dynamic mobile

crypto map mobile client authentication RADIUS

crypto map mobile interface outside

isakmp enable outside

isakmp key ******** address 0.0.0.0 netmask 0.0.0.0

isakmp identity address

isakmp policy 5 authentication pre-share

isakmp policy 5 encryption 3des

isakmp policy 5 hash sha

isakmp policy 5 group 2

isakmp policy 5 lifetime 86400

vpngroup mobileipsec address-pool vpn

vpngroup mobileipsec dns-server 172.16.1.1

vpngroup mobileipsec wins-server 172.16.1.1

vpngroup mobileipsec default-domain xxxxxxx

vpngroup mobileipsec split-tunnel ipsec

vpngroup mobileipsec idle-time 3600

vpngroup mobileipsec password ********

Any ideas?

1 REPLY

Re: Remote Access VPN - Access a partner network - how?

Often times complex troubleshooting issues are best addressed in an interactive session with one of our trained technical assistance engineers. While other forum users may be able to help, it’s often difficult to do so for this type of issue.

To utilize the resources at our Technical Assistance Center, please visit http://www.cisco.com/tac and to open a case with one of our TAC engineers, visit http://www.cisco.com/tac/caseopen

If anyone else in the forum has some advice, please reply to this thread.

Thank you for posting.

70
Views
0
Helpful
1
Replies
CreatePlease login to create content