Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

IPSEC tunnel to internal network assistance 1

Status
Not open for further replies.
nkew

nkew

Programmer
Dec 18, 2007
23
GB
Dear Experts,

I have set up an IPSEC tunnel between mobile sites and our internal network.

The tunnel works perfectly and I'm able to access all internal hosts in our network.

In addition to these, I'd like to be able to access one or two external addresses.

Could anybody advise how I would add a rule enabling users who have successfully established an IPSEC connection to access these IPs?

Many thanks in advance,

Nick

From Trust To Untrust, total policy: 4
34 Internal Network #1 Vodafone Handset Range #1 ANY
32 Internal Network #1 Vodafone Handset Range #2 ANY

From Untrust To Trust, total policy: 5
35 Vodafone Handset Range #1 --> Internal Network #1 ANY
33 Vodafone Handset Range #2 --> Internal Network #1 ANY
 
Sort by date Sort by votes
Hi,

The PIX will not be able to interpret "groups". That is why your previous config had 8 VPN rules. If the remote end was a Firewall, you would have needed 4 rules. I would configure the policy below and test:

Trust 192.168.1.0/24 VPN 10.10.1.0/24 ANY permit
VPN 10.10.1.0/24 Trust 192.168.1.0/24 ANY permit

Make sure you test from the 192.168.1.0/24 subnet and ping a host on the 10.10.1.0/24 subnet.

BTW, since your tunnel interface is bound to the VPN Zone in the trust-vr, you do not need to worry about "Untrust" policies. However, once we get it working you will need a VPN to Untrust policy to permit the VPN clients to the Internet.

Rgds,

John
 
Upvote 0 Downvote
Hi John,

I think I'm too tired to be thinking about this now! About to call it a night (it's 1:37am!) and look at it afresh tomorrow.

The tunnel still isn't coming up and my rules don't contain any reference to 10.10.1.0/24 in the dropdown.. I can only select 'Any' and 'Dial up VPN'

Thanks for all your help - I really do appreciate you taking this time to help me out.

Regards,

Nick
 
Upvote 0 Downvote
OK, get a good night sleep. I should be around tomorrow. Regarding the policy, did you delete your old VPN rules? If not, please remove them. When you create a new role from Trust to VPN, you can specify address ranges in the "new address" field. Action = Permit.

Rgds,

John
 
Upvote 0 Downvote
Hi Nick,

Try the following:

1. Add 0.0.0.0/0 for both the Local and Remote Proxy ID.
2. Set the Proxy ID service as "any".
3. Remove your old VPN rules and add new rules that match (Trust to VPN, VPN to Trust, DMZ to VPN, etc).
4. Debug, test, and upload.

I just reviewed the route based VPN info in the documentation and found that if policy is preferred in a route based config, use the 0.0.0.0/0 approach as I defined above and create policies. I'm hoping the Netscreen and PIX can agree this time. Keep me posted.

Rgds,

John
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
283
Sameer258
Sameer258
Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
301
Johnkite
Johnkite
ciscokid1984
  • Locked
  • Question
Watchguard RDP from external network
Replies
1
Views
156
hairlessupportmonkey
hairlessupportmonkey
Russtoleum
  • Locked
  • Question
SW GVC won't route traffic through sonicwall to offsite tunnel unless it leases an ip on the same su
Replies
1
Views
92
Russtoleum
Russtoleum
acabezas2014
  • Locked
  • Question
Configuring ASA for Network Segmentation
Replies
1
Views
136
acabezas2014
acabezas2014

Part and Inventory Search

Sponsor

Back
Top