10-08-2009 09:41 AM - edited 02-21-2020 04:21 PM
Hi folks,
I wish someone poke a finger at where I made a mistake in configuring a pair of firewalls for site-to-site VPN.
The tunnel is on and traffic freely flows between two remote networks. The only thing is that one remote network (Site B) can't access Internet through the gateway device located at the other site. (Site A)
Here's the extract from the PIX at site B which doesn't have access to internet:
interface Ethernet0
nameif outside
security-level 0
ip address 10.10.20.2 255.255.255.252
!
interface Ethernet1
nameif inside
security-level 100
ip address 192.168.3.253 255.255.255.0
access-list NONAT extended permit ip any any
access-list VPN extended permit ip any any
nat (inside) 0 access-list NONAT
route outside 0.0.0.0 0.0.0.0 10.10.20.1 1
crypto ipsec transform-set SET1 esp-aes-192 esp-sha-hmac
crypto map MAP1 1 match address VPN
crypto map MAP1 1 set peer 10.10.20.1
crypto map MAP1 1 set transform-set SET1
crypto map MAP1 interface outside
isakmp enable outside
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption aes
isakmp policy 1 hash sha
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400
isakmp nat-traversal 30
tunnel-group 10.10.20.1 type ipsec-l2l
tunnel-group 10.10.20.1 ipsec-attributes
pre-shared-key *
And this is the portion of the PIX config from the site A which is connected to Internet:
interface Ethernet0
nameif outside
security-level 0
ip address 10.10.20.1 255.255.255.252
!
interface Ethernet1
nameif inside
security-level 100
ip address 192.168.1.243 255.255.255.0
access-list NONAT extended permit ip any any
access-list VPN extended permit ip any any
route outside 192.168.3.0 255.255.255.0 10.10.20.2 1
route inside 0.0.0.0 0.0.0.0 192.168.1.251 1
nat (inside) 0 access-list NONAT
crypto ipsec transform-set SET1 esp-aes-192 esp-sha-hmac
crypto map MAP1 1 match address VPN
crypto map MAP1 1 set peer 10.10.20.2
crypto map MAP1 1 set transform-set SET1
crypto map MAP1 interface outside
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 30
tunnel-group 10.10.20.2 type ipsec-l2l
tunnel-group 10.10.20.2 ipsec-attributes
pre-shared-key *
As far as I understand the traffic destined to Internet enters the tunnel at site B via PIX and gets lost.
i.e. I can reach internet from the PIX at site A but can't reach internet from PIX at the site B while sourcing my pings from inside interface.
192.168.1.251 is the device connected to Internet at site A.
Help please!!!
10-08-2009 10:18 AM
If you're using 6.x code on the PIX, this won't work, as you can't come in the same interface and leave out the same interface. With 7.x or higher, you have the option of using same-security permit intra-interface with a "nat (outside) / global (outside)" pair
10-08-2009 10:36 AM
You've defined your tunnel traffic as any any which means all traffic from B will go over tunnel to A, but also means all traffic from A will go over tunnel to B. It would work better like this...
Site B
access-list NONAT extended permit ip 192.168.3.0 255.255.255.0 any
access-list VPN extended permit ip 192.168.3.0 255.255.255.0 any
Site A
access-list NONAT extended permit ip any 192.168.3.0 255.255.255.0
access-list VPN extended permit ip any 192.168.3.0 255.255.255.0
same-security-traffic permit intra-interface
no route outside 192.168.3.0 255.255.255.0 10.10.20.2 1 (don't need that, it knows how to route to it by the vpn config)
global (outside) 1 interface
nat (outside) 1 192.168.3.0 255.255.255.0
Edit: Just noticed that your internet gateway is on the inside of Site A at 192.168.1.251? If so you can scratch the global/nat/same-security commands above.
Make sure that 192.168.1.251 has a route to 192.168.3.0 via 192.168.1.243.
10-08-2009 12:38 PM
Hey, man!
It was a good sanity check. I figured the problem. the internet gateway device didn't have the route to send the return traffic to site B.
I really appreciate your look at it.
Thanks, Eugene
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: