Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

VPN client access to system over a VPN tunnel

We have a remote location with a PIX 506 that has a VPN tunnel back to an ASA5520 at headquarters. That remote PIX 506 also has a very basic VPN client setup enabled on it that I didn't implement.

Remote subnet: 172.16.50.0/24

Remote VPN client subnet: 172.16.253.0/24

Local (HQ) subnet: 192.168.1.0/24

So someone from the remote location will use the VPN client and connect to the PIX506 and get an IP on 172.16.253.0/24. It can ping anything on 172.16.50.0/24 just fine but cannot hit anything on 192.168.1.0/24, 192.168.1.13 is what I need to get it access to specifically.

Same from the other side. From 192.168.1.0/24 I cannot see anything on 172.16.253.0/24. I assume I don't have the routing totally complete from what I can tell. I tried adding the following to our ASA5520:

route inside 172.16.253.0 255.255.255.0 172.16.50.3 1

172.16.50.3 is the PIX 506's inside IP and I can ping that fine from my workstation IP of 192.168.1.240. However if I try to ping it from the ASAs IP of 192.168.1.23 it doesn't work.

I've attached some pared down configs of both devices. MTY506E.txt is the remote PIX 506 of course and the central HQ ASA is Hilliard_ASA_5520.txt

9 REPLIES

Re: VPN client access to system over a VPN tunnel

Hi Jim,

Apply the following changes in devices mentioned.

---506---

same-security-traffic permit intra-interface

access-list outside_nat0_outboundpermit ip 192.168.1.0 255.255.255.0 172.16.253.0 255.255.255.0

nat (outside) 0 access-list outside_nat0_outbound

no route inside 172.16.253.0 255.255.255.0 172.16.50.3 1

access-list vpn permit ip 172.16.253.0 255.255.255.0 192.168.1.0 255.255.255.0

---5520---

access-list inside_acl permit ip 192.168.1.0 255.255.255.0 172.16.253.0 255.255.255.0

access-list MTY permit ip 192.168.1.0 255.255.255.0 172.16.253.0 255.255.255.0

no route inside 172.16.253.0 255.255.255.0 172.16.50.3

In 506, you may have to issue "clear xlate" which will temporarily disconnect all sessions.

Regards

New Member

Re: VPN client access to system over a VPN tunnel

Had the ip pool configured wrong on the 506, here is the newer config.

Re: VPN client access to system over a VPN tunnel

Ahhhhhh, let me re-check....

Re: VPN client access to system over a VPN tunnel

Its not a big deal, still 172.16.253 . Anyway if you want to have 30 hosts as you mentioned in you pool command, you should change the netmask to 255.255.255.224.

If you do that change, make the change also in the commands I wrote above, next to 172.16.253.0

Re: VPN client access to system over a VPN tunnel

Here is the updated version

---506---

same-security-traffic permit intra-interface

ip local pool ippool 172.16.253.1-172.16.253.30 mask 255.255.255.224

access-list outside_nat0_outboundpermit ip 192.168.1.0 255.255.255.0 172.16.253.0 255.255.255.224

nat (outside) 0 access-list outside_nat0_outbound

no route inside 172.16.253.0 255.255.255.0 172.16.50.3 1

access-list vpn permit ip 172.16.253.0 255.255.255.224 192.168.1.0 255.255.255.0

no access-list nonat permit ip 172.16.50.0 255.255.255.0 172.16.253.0 255.255.255.0

no access-list nonat permit ip 172.16.51.0 255.255.255.0 172.16.253.0 255.255.255.0

no access-list nonat permit ip 172.16.52.0 255.255.255.0 172.16.253.0 255.255.255.0

access-list nonat permit ip 172.16.50.0 255.255.255.0 172.16.253.0 255.255.255.224

access-list nonat permit ip 172.16.51.0 255.255.255.0 172.16.253.0 255.255.255.224

access-list nonat permit ip 172.16.52.0 255.255.255.0 172.16.253.0 255.255.255.224

---5520---

access-list inside_acl permit ip 192.168.1.0 255.255.255.0 172.16.253.0 255.255.255.224

access-list MTY permit ip 192.168.1.0 255.255.255.0 172.16.253.0 255.255.255.224

no route inside 172.16.253.0 255.255.255.0 172.16.50.3

Edited...

New Member

Re: VPN client access to system over a VPN tunnel

Wow, lightning fast responses. I appreciate it.

Here is what happened when I entered the new nat statement:

MONTERREY-MX-506(config)# nat (outside) 0 access-list outside_nat0_outbound

WARNING: Specified interface is lowest security interface. This statement

WARNING: is not applicable to any traffic.

Also, the same-security-traffic permit intra-interface doesn't seem to work on the PIX 506. It's running 6.3(5).

Re: VPN client access to system over a VPN tunnel

Hmm.. try this

nat (outside) 0 access-list outside_nat0_outbound outside

"Also, the same-security-traffic permit intra-interface doesn't seem to work on the PIX 506. It's running 6.3(5)."

Ah... You have to upgrade the IOS, or you can not achieve what you want. Upgrade your IOS in 506 to 7.2

New Member

Re: VPN client access to system over a VPN tunnel

Darn, I thought that might be the case. Just looked at the PIX 7.0 release notes and it doesn't look like the 506 is supported for anything beyond 6.3:

http://www.cisco.com/en/US/docs/security/asa/asa70/pix_upgrade/upgrade/guide/pixupgrd.html#wp1752751

Re: VPN client access to system over a VPN tunnel

=( correct. You cant achieve what you want with that equipment. I was going to suggest sub interfacing but again it is not supported in 6.3.

197
Views
3
Helpful
9
Replies
CreatePlease to create content