Accessing site-to-site VPNs from RAS VPN

[optize]

I have the following network setup

Pix 1 ----> Pix 2 <----- Pix 3

Pix 2 handles the site to site VPN's so the people behind Pix 2 can see both networks on pix1 and pix3. I have two problems.

1) I want pix 3 and pix 1 to be able to see each other. It's current set that way in the "vpn" list but the PIX won't route it.

2) Pix 2 is also a RAS vpn. I wanna be able to login from home and see pix1's network and pix 3's network. I can see pix 2's network but that's it. Perhaps both of these questions are related.

Thanks.

 

[Supergrrover]

Here is a good guide - I got it to work using this so you should be good.

http://www.cisco.com/en/US/products...s_configuration_example09186a008046f307.shtml

Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[optize]

Nice, that took care of problem #2. Thanks a lot

 

[Supergrrover]

Good to hear. Have you added static routes to your boxes for the far networks? (Pix1 has a route to Pix3 with the next hop as Pix2 - and vice versa) If you can, post a config.


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[optize]

http://other.nerdie.net/vpn/pix1.txt

http://other.nerdie.net/vpn/pix2.txt

http://other.nerdie.net/vpn/pix3.txt

It's a bit messy atm, I need to clean up old stuff. But this is how it's setup.

Pix 1 is in LA
Pix 2 is in Phoenix
Pix 3 is also in Phoenix

Pix 2 has a site to site VPN to Pix 1 and Pix 3. Pix 2 also has the RAS vpn. If you're behind the Pix 2 network, you can see both networks. Pix 1 and Pix 3 can see Pix 2's network but cannot see each other's network.

Hope this isn't to confusing.

Thanks for your help ;-)

 

[Supergrrover]

OK, so you don't have routes to the remote networks.
Pix 2 can see everything because it is directly connected
so in Pix 1 add

route outside 192.168.30.1 255.255.255.0 192.168.0.11 1

in Pix 3 add

route outside 192.168.10.1 255.255.255.0 192.168.0.11 1



Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[optize]

Didn't work.

Shouldn it be route inside?

 

[optize]

Tried inside -- still no go. Hmph.

 

[optize]

BTW, On Pix 1 I couldnt add the following command;

same-security-traffic permit intra-interface

Because it seems that command is only on 7.x Trying to find a way to do it within 6.x. perhaps that's the reason?

 

[Supergrrover]

You don't need the intra-interface except for the hub pix.
OK, forgot to tell the pix2 to send spoke traffic encrypted.
make these changes to Pix2
make sure this is set first
sysopt connection permit-ipsec

Now add these to your permits to your no-nat ACL and to the interesting traffic ACL

access-list 101 extended permit ip 192.168.0.0 255.255.252.0 192.168.30.0 255.255.255.0
access-list 101 extended permit ip 192.168.10.0 255.255.255.0 192.168.30.0 255.255.255.0
access-list 101 extended permit ip 192.168.30.0 255.255.255.0 192.168.10.0 255.255.255.0


Kill those extra route statements (it goes out the default anyway)

Give that a try.



Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[optize]

Brent,

Thanks for the suggestion.

I added this to access-list 101;

access-list 101 extended permit ip 192.168.30.0 255.255.255.0 192.168.10.0 255.255.255.0


access-list 101 is the VPN connection from pix 2 to pix 1.
access-list 102 is the VPN connection from pix 2 to pix 3
VPN-ACCESS is the no-nat.

Still no go....

 

[optize]

Thanks for your help. I forgot to remove those routes that you asked me to add before.

Everything works like a champ.

Thanks once again.

 

[Supergrrover]

Sweet! - That was fast.


Brent
Systems Engineer / Consultant
CCNP, CCSP