Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Try to connect pc vs pc trough vpn

Hello,

i have a this pix:

PIX-506E

Cisco PIX Firewall Version 6.3(5)

Cisco PIX Device Manager Version 3.0(4)

I would connect a pc connected trough vpn vs another pc connected trough vpn.

My vpn work perfect if i connect a pc and try to ping a pc on lan side but if i try to ping another pc connected trough vpn fail.

My vpn ip class is 10.10.15.xxx and i have a lot of other class on lan side (differents office).

Sorry for my bad english.

This is my startup configuration (i have cut some part i think not important for privacy purpouse):

******************************************************************************************

: Saved

: Written by alex at 17:15:11.498 CEST Tue Nov 2 2010

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password TylcKmYmkSl6P11l encrypted

passwd 2KNDnbNIdI.2KYOU encrypted

hostname pix.internet

domain-name abcdefg.it

clock timezone CEST 1

clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol pptp 1723

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

name 10.10.15.0 vpn

name 10.50.196.0 wan_ABCD

name 10.10.15.128 vpn_int

object-group network Internet

  network-object Server-ABCDone 255.255.255.255

object-group network Lan

  network-object Lan-citta1 255.255.255.0

  network-object Lan-ABCDEX-Como 255.255.255.0

  network-object Lan-citta2 255.255.255.0

  network-object 10.10.50.0 255.255.255.0

  network-object 10.10.60.0 255.255.255.0

  network-object 10.10.70.0 255.255.255.0

  network-object Lan-citta3 255.255.255.0

  network-object Lan-citta4 255.255.255.0

  network-object Lan-ABCDEX 255.255.255.0

  network-object Lan-ABCD-New 255.255.255.0

  network-object wan_ABCD 255.255.255.0

  network-object vpn 255.255.255.0

access-list compiled

access-list outside_access_in permit ip 10.10.15.192 255.255.255.224 object-group Lan

access-list outside_access_in permit tcp any host 80.22.XX.XXX

access-list outside_access_in remark Per permettere a tutti i pc di fare collegamenti in VPN PPTP

access-list outside_access_in permit gre any any

access-list outside_access_in permit ip 10.10.10.96 255.255.255.240 any

access-list outside_access_in remark Per permettere il ritorno del ping

access-list outside_access_in permit icmp any any echo-reply

access-list outside_access_in permit icmp any any

access-list outside_access_in permit tcp any host 80.22.XX.XXY object-group ServerABCD

access-list outside_access_in permit tcp any host 80.22.XX.XYY eq 4081

access-list outside_access_in permit tcp any host 80.22.XX.XYY eq 6080

access-list outside_access_in permit tcp any host 80.22.XX.XYY eq pptp

access-list outside_access_in permit tcp any host 80.22.XX.YYY

access-list inside_access_in remark Navigazione FB su 10.10.30.0

access-list inside_access_in permit ip Lan-ABCDEX-Como 255.255.255.0 FB3 255.255.0.0

access-list inside_access_in permit ip Lan-citta4 255.255.255.0 FB3 255.255.0.0

access-list inside_access_in permit ip Lan-ABCDEX 255.255.255.0 FB3 255.255.0.0

access-list inside_access_in remark Sblocca FB su 10.10.12

access-list inside_access_in permit ip rete-temporanea 255.255.255.0 FB3 255.255.0.0

access-list inside_access_in deny ip any FB3 255.255.0.0

access-list inside_access_in remark Per permettere ai pc designati di navigare in Internet

access-list inside_access_in permit ip object-group Internet any

access-list inside_access_in remark Per permettere a tutti i pc di fare aggirnamenti da Symantec

access-list inside_access_in permit tcp any object-group Symantec

access-list inside_access_in remark Per permettere a tutti i pc di fare aggirnamenti da Microsoft

access-list inside_access_in permit tcp any object-group Microsoft

access-list inside_access_in remark Accesso dalla rete dell'amministratore

access-list inside_access_in permit tcp any Roby 255.255.255.248 eq 3389

access-list inside_access_in remark Permette gli aggiornamenti dai server NTP

access-list inside_access_in permit udp any any eq ntp

access-list inside_access_in remark Per permettere a tutti i pc di fare collegamenti con ASDO

access-list inside_access_in permit ip any object-group Siti-Roby

access-list inside_access_in remark Per permettere a tutti i pc di fare collegamenti con ASDO

access-list inside_access_in permit tcp any object-group ASDO

access-list inside_access_in permit tcp any object-group Renault

access-list inside_access_in remark Per permettere a tutti i pc di fare collegamenti con ASDO

access-list inside_access_in permit tcp any object-group STERD

access-list inside_access_in remark Per permettere a tutti i pc di fare collegamenti con servizi di varia natura

access-list inside_access_in permit ip any object-group Vari

access-list inside_access_in remark Permette l'accesso in VPN alla rete del server Web

access-list inside_access_in permit ip any Rete-WebServer 255.255.255.0

access-list inside_access_in remark Per permettere a tutti i pc di pingare anche se non navigano in internet

access-list inside_access_in permit icmp any any

access-list inside_access_in permit tcp any host Sito-usato

access-list inside_access_in permit icmp Telefonia 255.255.0.0 any

access-list inside_access_in permit ip Telefonia 255.255.0.0 any

access-list inside_access_in permit ip Lan-citta2 255.255.255.0 any

access-list inside_access_in permit tcp any any eq 7080

access-list inside_access_in remark Per permettere a tutti i pc di fare aggirnamenti da Symantec

access-list inside_access_in permit tcp any object-group Macromedia

access-list inside_access_in permit ip any Roby 255.255.255.248

access-list inside_access_in permit ip host Server_BESRT any

access-list inside_outbound_nat0_acl remark Prova

access-list inside_outbound_nat0_acl permit ip object-group Lan Rete-WebServer 255.255.255.0

access-list inside_outbound_nat0_acl permit ip object-group Lan vpn_int 255.255.255.192

access-list inside_outbound_nat0_acl permit ip object-group Lan 10.10.15.96 255.255.255.240

access-list inside_outbound_nat0_acl permit ip 10.10.0.0 255.255.0.0 Lan_Roberto 255.255.255.0

access-list inside_outbound_nat0_acl permit ip wan_ABCD 255.255.255.0 Lan_Roberto 255.255.255.0

access-list inside_outbound_nat0_acl permit ip Lan-ABCDEX 255.255.255.0 Lan_Roberto 255.255.255.0

access-list inside_outbound_nat0_acl permit ip wan_ABCD 255.255.255.0 host ADP-Assistenza

access-list inside_outbound_nat0_acl permit ip object-group Lan vpn_int 255.255.255.240

access-list inside_outbound_nat0_acl permit ip rete-temporanea 255.255.255.0 host ADP-Assistenza

access-list inside_outbound_nat0_acl permit ip object-group Lan 10.10.15.192 255.255.255.192

access-list ABCD_splitTunnelAcl permit ip 10.10.0.0 255.255.0.0 any

access-list ABCD_splitTunnelAcl permit ip wan_ABCD 255.255.255.0 any

access-list outside_cryptomap_20 permit ip object-group Lan Rete-WebServer 255.255.255.0

access-list outside_cryptomap_dyn_20 permit ip any vpn_int 255.255.255.192

access-list outside_cryptomap_40 permit ip 10.10.0.0 255.255.0.0 Lan_Roberto 255.255.255.0

access-list outside_cryptomap_40 permit ip wan_ABCD 255.255.255.0 Lan_Roberto 255.255.255.0

access-list outside_cryptomap_40 permit ip Lan-ABCDEX 255.255.255.0 Lan_Roberto 255.255.255.0

access-list outside_cryptomap_60 permit ip wan_ABCD 255.255.255.0 host ADP-Assistenza

access-list outside_cryptomap_60 permit ip rete-temporanea 255.255.255.0 host ADP-Assistenza

access-list ala-ABCD_splitTunnelAcl permit ip 10.10.0.0 255.255.0.0 any

access-list ala-ABCD_splitTunnelAcl permit ip wan_ABCD 255.255.255.0 any

access-list outside_cryptomap_dyn_40 permit ip any vpn_int 255.255.255.240

access-list serverpad_splitTunnelAcl permit ip wan_ABCD 255.255.255.0 any

access-list serverpad_splitTunnelAcl permit ip 10.10.0.0 255.255.0.0 any

access-list serverpad2_splitTunnelAcl permit ip wan_ABCD 255.255.255.0 any

access-list serverpad2_splitTunnelAcl permit ip 10.10.0.0 255.255.0.0 any

access-list outside_cryptomap_dyn_60 permit ip any 10.10.15.192 255.255.255.192

access-list serverpad3_splitTunnelAcl permit ip 10.10.0.0 255.255.0.0 any

access-list serverpad3_splitTunnelAcl permit ip wan_ABCD 255.255.255.0 any

access-list asefggg_splitTunnelAcl permit ip rete-temporanea 255.255.255.0 any

access-list asefggg_splitTunnelAcl permit ip Lan-ABCD-New 255.255.255.0 any

access-list asefggg_splitTunnelAcl permit ip Rete-WebServer 255.255.255.0 any

access-list prova_splitTunnelAcl_1 permit ip Lan-ABCD-New 255.255.255.0 any

access-list prova_splitTunnelAcl_1 permit ip rete-temporanea 255.255.255.0 any

access-list prova_splitTunnelAcl_1 permit ip Rete-WebServer 255.255.255.0 any

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside 80.22.XX.XYZ 255.255.255.240

ip address inside 10.10.20.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool PPTP-15 10.10.15.101-10.10.15.110 mask 255.255.255.0

ip local pool IPSEC-15 10.10.15.151-10.10.15.160 mask 255.255.255.0

ip local pool IPSEC-ABCD 10.10.15.129-10.10.15.137

ip local pool ipepc 10.10.15.161-10.10.15.162 mask 255.255.255.0

ip local pool exadertocitta1 10.10.15.211-10.10.15.231 mask 255.255.255.0

ip local pool ipepc3 10.10.15.232-10.10.15.233 mask 255.255.255.0

ip local pool ipepc2 10.10.15.164-10.10.15.165 mask 255.255.255.0

ip local pool provab 10.10.15.138-10.10.15.145 mask 255.255.255.0

ip local pool prova 10.10.15.201-10.10.15.210 mask 255.255.255.0

ip local pool servertcomo 10.10.15.111-10.10.15.112 mask 255.255.255.0

pdm group Internet inside

pdm group Lan inside

pdm group Symantec outside

pdm group Microsoft outside

pdm group ASDO outside

pdm group Vari outside

pdm group STERD outside

pdm group Renault outside

pdm group Macromedia outside

pdm group Siti-Roby outside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 1 0.0.0.0 0.0.0.0 dns 0 0

static (inside,outside) tcp 80.22.XX.XYX pptp server_epc pptp netmask 255.255.255.255 0 0

static (inside,outside) tcp 80.22.XX.XYX 4081 server_epc 4081 netmask 255.255.255.255 0 0

static (inside,outside) tcp 80.22.XX.XYX 6080 server_epc 6080 netmask 255.255.255.255 0 0

static (inside,outside) 80.22.XX.XAS PC-Cam-ABCD dns netmask 255.255.255.255 0 0

static (inside,outside) 80.22.XX.XCX Server-ABCDone dns netmask 255.255.255.255 0 0

static (inside,outside) 80.22.XX.XSX apo3 dns netmask 255.255.255.255 0 0

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

routing interface outside

routing interface inside

  ospf authentication null

router ospf 110

  network Lan-ABCD-New 255.255.255.0 area 0

  area 0

  router-id 10.10.20.1

  log-adj-changes

route outside 0.0.0.0 0.0.0.0 80.22.36.241 1

route outside Rete-WebServer 255.255.255.0 80.22.36.253 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

aaa authentication enable console LOCAL

aaa authentication http console LOCAL

aaa authentication serial console LOCAL

aaa authentication ssh console LOCAL

aaa authentication telnet console LOCAL

aaa authorization command LOCAL

ntp server NTP-Server source outside prefer

http server enable

http Roby 255.255.255.248 outside

http Wan-AlaBis 255.255.255.248 outside

http 0.0.0.0 0.0.0.0 outside

http 213.XSX.XSX.107 255.255.255.255 outside

http 10.10.0.0 255.255.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

sysopt connection permit-pptp

sysopt connection permit-l2tp

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport

crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5

crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40

crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5

crypto dynamic-map outside_dyn_map 60 match address outside_cryptomap_dyn_60

crypto dynamic-map outside_dyn_map 60 set transform-set TRANS_ESP_3DES_MD5

crypto map outside_map 20 ipsec-isakmp

crypto map outside_map 20 match address outside_cryptomap_20

crypto map outside_map 20 set peer 80.22.XX.XYY

crypto map outside_map 20 set transform-set ESP-3DES-MD5

crypto map outside_map 40 ipsec-isakmp

crypto map outside_map 40 match address outside_cryptomap_40

crypto map outside_map 40 set peer 62.94.XXX.YXY

crypto map outside_map 40 set transform-set ESP-3DES-SHA

crypto map outside_map 60 ipsec-isakmp

crypto map outside_map 60 match address outside_cryptomap_60

crypto map outside_map 60 set peer 80.204.XSX.XSX

crypto map outside_map 60 set transform-set ESP-3DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map client authentication LOCAL

crypto map outside_map interface outside

isakmp enable outside

isakmp key ******** address 80.22.XX.XXX netmask 255.255.255.255 no-xauth no-config-mode

isakmp key ******** address 88.50.XXX.XX netmask 255.255.255.255

isakmp key ******** address 62.94.XXX.XXX netmask 255.255.255.255 no-xauth no-config-mode

isakmp key ******** address 80.204.XXX.XXX netmask 255.255.255.255 no-xauth no-config-mode

isakmp key ******** address 0.0.0.0 netmask 0.0.0.0

isakmp key ******** address 78.152.XXX.XXX netmask 255.255.255.255 no-xauth no-config-mode

isakmp nat-traversal 30

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

vpngroup ABCD address-pool IPSEC-15

vpngroup ABCD dns-server Server-ABCDone PC-Firewall-ABCD

vpngroup ABCD wins-server Server-ABCDone

vpngroup ABCD default-domain ABCD

vpngroup ABCD split-tunnel ABCD_splitTunnelAcl

vpngroup ABCD idle-time 1800

vpngroup ABCD password ********

vpngroup prova address-pool prova

vpngroup prova dns-server Server-ABCDone PC-Firewall-ABCD

vpngroup prova wins-server Server-ABCDone

vpngroup prova split-tunnel prova_splitTunnelAcl_1

vpngroup prova idle-time 1800

vpngroup prova password ********

vpngroup serverpad address-pool ipepc

vpngroup serverpad dns-server Server-ABCDone PC-Firewall-ABCD

vpngroup serverpad wins-server Server-ABCDone

vpngroup serverpad default-domain ABCD

vpngroup serverpad split-tunnel serverpad_splitTunnelAcl

vpngroup serverpad idle-time 1800

vpngroup serverpad password ********

vpngroup serverpad2 address-pool ipepc2

vpngroup serverpad2 dns-server Server-ABCDone PC-Firewall-ABCD

vpngroup serverpad2 wins-server Server-ABCDone

vpngroup serverpad2 default-domain ABCD

vpngroup serverpad2 split-tunnel serverpad2_splitTunnelAcl

vpngroup serverpad2 idle-time 1800

vpngroup serverpad2 password ********

vpngroup ala-ABCD address-pool exadertocitta1

vpngroup ala-ABCD dns-server Server-ABCDone 8.8.8.8

vpngroup ala-ABCD wins-server Server-ABCDone

vpngroup ala-ABCD default-domain ABCD

vpngroup ala-ABCD split-tunnel ala-ABCD_splitTunnelAcl

vpngroup ala-ABCD idle-time 1800

vpngroup ala-ABCD password ********

vpngroup serverpad3 address-pool ipepc3

vpngroup serverpad3 dns-server Server-ABCDone 8.8.8.8

vpngroup serverpad3 wins-server Server-ABCDone

vpngroup serverpad3 default-domain ABCD

vpngroup serverpad3 split-tunnel serverpad3_splitTunnelAcl

vpngroup serverpad3 idle-time 1800

vpngroup serverpad3 password ********

vpngroup asefggg address-pool provab

vpngroup asefggg dns-server Server-ABCDone 8.8.8.8

vpngroup asefggg wins-server Server-ABCDone

vpngroup asefggg default-domain ABCD

vpngroup asefggg split-tunnel asefggg_splitTunnelAcl

vpngroup asefggg idle-time 1800

vpngroup asefggg password ********

telnet Roby 255.255.255.248 outside

telnet 10.10.0.0 255.255.0.0 inside

telnet timeout 5

ssh Roby 255.255.255.248 outside

ssh Wan-AlaBis 255.255.255.248 outside

ssh 10.10.0.0 255.255.0.0 inside

ssh timeout 5

management-access inside

console timeout 0

vpdn group PPTP-VPDN-GROUP accept dialin pptp

vpdn group PPTP-VPDN-GROUP ppp authentication pap

vpdn group PPTP-VPDN-GROUP ppp authentication chap

vpdn group PPTP-VPDN-GROUP ppp authentication mschap

vpdn group PPTP-VPDN-GROUP ppp encryption mppe auto required

vpdn group PPTP-VPDN-GROUP client configuration address local PPTP-15

vpdn group PPTP-VPDN-GROUP pptp echo 60

vpdn group PPTP-VPDN-GROUP client authentication local

vpdn group servert accept dialin pptp

vpdn group servert ppp authentication pap

vpdn group servert ppp authentication chap

vpdn group servert ppp authentication mschap

vpdn group servert ppp encryption mppe auto required

vpdn group servert client configuration address local servertcomo

vpdn group servert pptp echo 60

vpdn group servert client authentication local

vpdn username cavcitta1 password ********

vpdn username servert password ********

vpdn enable outside

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

username XYXSES password musU6y7Cp7LtTBzX encrypted privilege 3

username XXXYYY password WbLZYkoxlcl8Y6T3 encrypted privilege 15

username vpn-XYX password rWIEZ89MYhE7huNa encrypted privilege 3

privilege show level 0 command version

privilege show level 0 command curpriv

privilege show level 3 command pdm

privilege show level 3 command blocks

privilege show level 3 command ssh

privilege configure level 3 command who

privilege show level 3 command isakmp

privilege show level 3 command ipsec

privilege show level 3 command vpdn

privilege show level 3 command local-host

privilege show level 3 command interface

privilege show level 3 command ip

privilege configure level 3 command ping

privilege show level 3 command uauth

privilege configure level 5 mode enable command configure

privilege show level 5 command running-config

privilege show level 5 command privilege

privilege show level 5 command clock

privilege show level 5 command ntp

privilege show level 5 mode configure command logging

privilege show level 5 command fragment

terminal width 80

Cryptochecksum:9908e256febc4d504bb29ece094f278c

******************************************************************************************

Thank you.

Alex

2 REPLIES

Re: Try to connect pc vs pc trough vpn

Hi Alex,

Unfortunately PIX 6.x does not support U-turning on an interface. i.e. traffic from one vpn client will not get u-turned on the outside interface to another clinet.

If you have sufficient RAM and the pix supports 7.x upgrade:

http://www.cisco.com/en/US/docs/security/pix/pix70/release/notes/pix_70rn.html#wp31990

In 7.x, you can use to achieve the same:

same-security-traffic permit intra-interface

Hope this helps.

Regards,

Praveen

New Member

Re: Try to connect pc vs pc trough vpn

Thanks a lot Praveen for your prompt response.

Alex

378
Views
0
Helpful
2
Replies