Hi,
We have two offices. Headoffice has Ip subnet 192.168.0.0, remote office has IP subnet 192.168.4.0. There is another subnet (IPphone subnet) in Headoffice - 192.168.5.0
We cannot get access to telephone subnet from remote office to Headoffice IPphone subnet. In other words we cannot do ping 192.168.5.0 from 192.168.4.0
What is wrong?
This is PIX configuration of Headoffice:
PIX Version 6.3(3)
interface ethernet0 100full
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
access-list Outside-In permit tcp host ?.?.?.? interface outside eq 2222
access-list Outside-In permit tcp any interface outside eq www
access-list Outside-In permit tcp any interface outside eq https
access-list Outside-In permit tcp any host x.x.x.x eq www
access-list Non-Nat permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list Non-Nat permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list Non-Nat permit ip 192.168.0.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list Non-Nat permit ip 192.168.0.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list Non-Nat permit ip 192.168.5.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list Non-Nat permit ip 192.168.3.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list Non-Nat permit ip 192.168.0.0 255.255.255.0 192.168.6.0 255.255.255.0
access-list Non-Nat permit ip 192.168.5.0 255.255.255.0 192.168.6.0 255.255.255.0
access-list Non-Nat permit ip 192.168.3.0 255.255.255.0 192.168.6.0 255.255.255.0
access-list Split-Tun permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list Split-Tun3 permit ip 192.168.0.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list Split-Tun4 permit ip 192.168.0.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list Split-Tun4 permit ip 192.168.3.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list Split-Tun4 permit ip 192.168.5.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list Split-Tun6 permit ip 192.168.0.0 255.255.255.0 192.168.6.0 255.255.255.0
access-list Split-Tun6 permit ip 192.168.3.0 255.255.255.0 192.168.6.0 255.255.255.0
access-list Split-Tun6 permit ip 192.168.5.0 255.255.255.0 192.168.6.0 255.255.255.0
pager lines 24
logging on
logging history critical
ip audit attack action alarm
ip local pool IP-Pool1 192.168.1.50-192.168.1.100
ip local pool IP-Pool3 192.168.4.100-192.168.4.150
ip local pool IP-Pool4 192.168.2.100-192.168.2.150
ip local pool IP-Pool5 192.168.5.1-192.168.5.250
ip local pool IP-Pool6 192.168.6.100-192.168.6.150
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list Non-Nat
nat (inside) 1 192.168.0.0 255.255.255.0 0 0
nat (inside) 1 192.168.5.0 255.255.255.0 0 0
access-group Outside-In in interface outside
route outside 0.0.0.0 0.0.0.0 y.y.y.y 1
route inside 192.168.3.0 255.255.255.0 192.168.0.47 1
route inside 192.168.5.0 255.255.255.0 192.168.0.47 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa-server MS-IAS protocol radius
aaa-server MS-IAS (inside) host 192.168.0.15 radiusauth timeout 10
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
http server enable
http 192.168.0.84 255.255.255.255 inside
http 192.168.0.0 255.255.255.0 inside
http 192.168.0.0 255.255.255.255 inside
snmp-server location ottawa
snmp-server contact Silvan
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set Trans-1 esp-3des esp-sha-hmac
crypto dynamic-map CovConn-Dyno 10 set transform-set Trans-1
crypto map CovConn-VPN 10 ipsec-isakmp dynamic CovConn-Dyno
crypto map CovConn-VPN client authentication MS-IAS
crypto map CovConn-VPN interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup CovConn-Group1 address-pool IP-Pool1
vpngroup CovConn-Group1 dns-server 192.168.0.15 192.168.0.14
vpngroup CovConn-Group1 default-domain ccinc.local
vpngroup CovConn-Group1 idle-time 1800
vpngroup CovConn-Group1 password ********
vpngroup CovConn-Group2 address-pool IP-Pool4
vpngroup CovConn-Group2 dns-server 192.168.0.15 192.168.0.14
vpngroup CovConn-Group2 default-domain ccinc.local
vpngroup CovConn-Group2 split-tunnel Split-Tun
vpngroup CovConn-Group2 idle-time 1800
vpngroup CovConn-Group2 password ********
vpngroup CovConn-Group3 dns-server 192.168.0.15 192.168.0.14
vpngroup CovConn-Group3 default-domain ccinc.local
vpngroup CovConn-Group3 split-tunnel Split-Tun3
vpngroup CovConn-Group3 idle-time 1800
vpngroup CovConn-Group3 password ********
vpngroup CovConn-Group4 address-pool IP-Pool3
vpngroup CovConn-Group4 dns-server 192.168.0.15 192.168.0.14
vpngroup CovConn-Group4 default-domain ccinc.local
vpngroup CovConn-Group4 split-tunnel Split-Tun4
vpngroup CovConn-Group4 idle-time 1800
vpngroup CovConn-Group4 password ********
vpngroup CovConn-Group6 address-pool IP-Pool6
vpngroup CovConn-Group6 dns-server 192.168.0.15 192.168.0.14
vpngroup CovConn-Group6 default-domain ccinc.local
vpngroup CovConn-Group6 split-tunnel Split-Tun6
vpngroup CovConn-Group6 idle-time 1800
vpngroup CovConn-Group6 password ********
vpngroup CovConn-Group5 address-pool IP-Pool5
vpngroup CovConn-Group5 dns-server 192.168.0.15 192.168.0.14
vpngroup CovConn-Group5 default-domain ccinc.local
vpngroup CovConn-Group5 split-tunnel Split-Tun4
vpngroup CovConn-Group5 idle-time 1800
vpngroup CovConn-Group5 password ********
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 192.168.0.0 255.255.255.0 inside
ssh timeout 15
console timeout 0
It seems there is something wrong with accesss-list Nonat.
May be I need to remove this command
nat (inside) 1 192.168.5.0 0 0
Thanks
We have two offices. Headoffice has Ip subnet 192.168.0.0, remote office has IP subnet 192.168.4.0. There is another subnet (IPphone subnet) in Headoffice - 192.168.5.0
We cannot get access to telephone subnet from remote office to Headoffice IPphone subnet. In other words we cannot do ping 192.168.5.0 from 192.168.4.0
What is wrong?
This is PIX configuration of Headoffice:
PIX Version 6.3(3)
interface ethernet0 100full
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
access-list Outside-In permit tcp host ?.?.?.? interface outside eq 2222
access-list Outside-In permit tcp any interface outside eq www
access-list Outside-In permit tcp any interface outside eq https
access-list Outside-In permit tcp any host x.x.x.x eq www
access-list Non-Nat permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list Non-Nat permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list Non-Nat permit ip 192.168.0.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list Non-Nat permit ip 192.168.0.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list Non-Nat permit ip 192.168.5.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list Non-Nat permit ip 192.168.3.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list Non-Nat permit ip 192.168.0.0 255.255.255.0 192.168.6.0 255.255.255.0
access-list Non-Nat permit ip 192.168.5.0 255.255.255.0 192.168.6.0 255.255.255.0
access-list Non-Nat permit ip 192.168.3.0 255.255.255.0 192.168.6.0 255.255.255.0
access-list Split-Tun permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list Split-Tun3 permit ip 192.168.0.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list Split-Tun4 permit ip 192.168.0.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list Split-Tun4 permit ip 192.168.3.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list Split-Tun4 permit ip 192.168.5.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list Split-Tun6 permit ip 192.168.0.0 255.255.255.0 192.168.6.0 255.255.255.0
access-list Split-Tun6 permit ip 192.168.3.0 255.255.255.0 192.168.6.0 255.255.255.0
access-list Split-Tun6 permit ip 192.168.5.0 255.255.255.0 192.168.6.0 255.255.255.0
pager lines 24
logging on
logging history critical
ip audit attack action alarm
ip local pool IP-Pool1 192.168.1.50-192.168.1.100
ip local pool IP-Pool3 192.168.4.100-192.168.4.150
ip local pool IP-Pool4 192.168.2.100-192.168.2.150
ip local pool IP-Pool5 192.168.5.1-192.168.5.250
ip local pool IP-Pool6 192.168.6.100-192.168.6.150
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list Non-Nat
nat (inside) 1 192.168.0.0 255.255.255.0 0 0
nat (inside) 1 192.168.5.0 255.255.255.0 0 0
access-group Outside-In in interface outside
route outside 0.0.0.0 0.0.0.0 y.y.y.y 1
route inside 192.168.3.0 255.255.255.0 192.168.0.47 1
route inside 192.168.5.0 255.255.255.0 192.168.0.47 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa-server MS-IAS protocol radius
aaa-server MS-IAS (inside) host 192.168.0.15 radiusauth timeout 10
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
http server enable
http 192.168.0.84 255.255.255.255 inside
http 192.168.0.0 255.255.255.0 inside
http 192.168.0.0 255.255.255.255 inside
snmp-server location ottawa
snmp-server contact Silvan
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set Trans-1 esp-3des esp-sha-hmac
crypto dynamic-map CovConn-Dyno 10 set transform-set Trans-1
crypto map CovConn-VPN 10 ipsec-isakmp dynamic CovConn-Dyno
crypto map CovConn-VPN client authentication MS-IAS
crypto map CovConn-VPN interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup CovConn-Group1 address-pool IP-Pool1
vpngroup CovConn-Group1 dns-server 192.168.0.15 192.168.0.14
vpngroup CovConn-Group1 default-domain ccinc.local
vpngroup CovConn-Group1 idle-time 1800
vpngroup CovConn-Group1 password ********
vpngroup CovConn-Group2 address-pool IP-Pool4
vpngroup CovConn-Group2 dns-server 192.168.0.15 192.168.0.14
vpngroup CovConn-Group2 default-domain ccinc.local
vpngroup CovConn-Group2 split-tunnel Split-Tun
vpngroup CovConn-Group2 idle-time 1800
vpngroup CovConn-Group2 password ********
vpngroup CovConn-Group3 dns-server 192.168.0.15 192.168.0.14
vpngroup CovConn-Group3 default-domain ccinc.local
vpngroup CovConn-Group3 split-tunnel Split-Tun3
vpngroup CovConn-Group3 idle-time 1800
vpngroup CovConn-Group3 password ********
vpngroup CovConn-Group4 address-pool IP-Pool3
vpngroup CovConn-Group4 dns-server 192.168.0.15 192.168.0.14
vpngroup CovConn-Group4 default-domain ccinc.local
vpngroup CovConn-Group4 split-tunnel Split-Tun4
vpngroup CovConn-Group4 idle-time 1800
vpngroup CovConn-Group4 password ********
vpngroup CovConn-Group6 address-pool IP-Pool6
vpngroup CovConn-Group6 dns-server 192.168.0.15 192.168.0.14
vpngroup CovConn-Group6 default-domain ccinc.local
vpngroup CovConn-Group6 split-tunnel Split-Tun6
vpngroup CovConn-Group6 idle-time 1800
vpngroup CovConn-Group6 password ********
vpngroup CovConn-Group5 address-pool IP-Pool5
vpngroup CovConn-Group5 dns-server 192.168.0.15 192.168.0.14
vpngroup CovConn-Group5 default-domain ccinc.local
vpngroup CovConn-Group5 split-tunnel Split-Tun4
vpngroup CovConn-Group5 idle-time 1800
vpngroup CovConn-Group5 password ********
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 192.168.0.0 255.255.255.0 inside
ssh timeout 15
console timeout 0
It seems there is something wrong with accesss-list Nonat.
May be I need to remove this command
nat (inside) 1 192.168.5.0 0 0
Thanks