Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
346
Views
0
Helpful
3
Replies

VPN connection on internal LAN

ddicky
Level 1
Level 1

‎05-13-2003 10:28 PM - edited ‎02-21-2020 12:32 PM

I'm connectig using a vpn connection and succesfully ,check out the sample config below.

For example my VPN client would like to access to the LAN internal server 10.1.1.156

What setting shuld be done as the local IP pool addresses are different subnet and do i need

to do additional routing?Any advise

:

PIX Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname ciscopix

domain-name cisco.com

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

access-list inside_outbound_nat0_acl permit ip any 10.1.2.0 255.255.255.224

access-list outside_cryptomap_dyn_20 permit ip any 10.1.2.0 255.255.255.224

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside 172.18.124.216 255.255.255.0

ip address inside 10.1.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool ippool 10.1.2.1-10.1.2.30

pdm location 10.1.1.156 255.255.255.255 inside

pdm history enable

arp timeout 14400

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 0 0.0.0.0 0.0.0.0 0 0

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si

p 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 10.1.1.156 255.255.255.255 inside

no snmp-server location

no snmp-server contact

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

sysopt connection permit-pptp

no sysopt route dnat

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

isakmp enable outside

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

vpngroup abc address-pool ippool

vpngroup abc idle-time 1800

vpngroup abc password ********

telnet timeout 5

ssh timeout 5

vpdn group PPTP-VPDN-GROUP accept dialin pptp

vpdn group PPTP-VPDN-GROUP ppp authentication pap

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

vpngroup abc address-pool ippool

vpngroup abc idle-time 1800

vpngroup abc password ********

telnet timeout 5

ssh timeout 5

vpdn group PPTP-VPDN-GROUP accept dialin pptp

vpdn group PPTP-VPDN-GROUP ppp authentication pap

<--- More --->

vpdn group PPTP-VPDN-GROUP ppp authentication chap

vpdn group PPTP-VPDN-GROUP ppp authentication mschap

vpdn group PPTP-VPDN-GROUP ppp encryption mppe 40

vpdn group PPTP-VPDN-GROUP client configuration address local ippool

vpdn group PPTP-VPDN-GROUP pptp echo 60

vpdn group PPTP-VPDN-GROUP client authentication local

vpdn username cisco password *********

vpdn enable outside

terminal width 80

Cryptochecksum:e89e4bc72e8eaa1bb3c644630bfb5db3

: end

Labels:
0 Helpful
3 Replies 3

ddicky
Level 1
Level 1

‎05-15-2003 08:20 PM

I was wondering how the client is going to communicate with internal server for example which have IP address of 10.1.1.156,since the IP local pool is under 10.1.2.0 segment.Do we need to put in any routing command.

0 Helpful

jason_tsai
Level 1
Level 1
In response to ddicky

‎05-16-2003 02:18 AM

Yes, you have to add a static route on your server.

like

route add 10.1.2.0 mask 255.255.255.0 10.1.1.1

BTW, after the vpn connection established, vpnclient get a IP address(ex:10.1.2.1).

Because the vpn connection was terminated on the outside interface.

PIX treat 10.1.2.1 as a IP address from outside. So you have to permit the traffic from 10.1.2.1 to 10.1.1.156 on the outside interface,

or use "sysopt connection permit-ipsec" command to let all ipsec traffic bypass the security control.

0 Helpful

ddicky
Level 1
Level 1
In response to jason_tsai

‎05-17-2003 12:31 AM

thks for the response.If I chose to put the comand in the router instead of the server will it work?

BTW if I assigned my local IP pool in my PIX to be the same segment with the LAN will it save the routing job.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents