Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Multiple Sites to one VPN

Status
Not open for further replies.
prophetx

prophetx

Technical User
May 21, 2004
5
US
I've got a pix 520 that sits at our central office. It has an inside,outside,dmz, and WAN interface on it. Currently we have remote sites that all connect to our central office through the wan coming in on the WAN interface. We also have an IPsec vpn tunnel to another company. My question is this,

How can I get the remote sites coming in through the wan access to the remote company through the VPN tunnel??
 
Sort by date Sort by votes
You can't. Unless you can terminate one or other vpn on a different interface. The pix can't route traffic back out the interface on which it arrived, so it can't be the hub in a hub and spoke vpn configuration.

You'd have to create a fully meshed vpn, in other words create independant vpn(s) between your remote sites and the third party company

CCNA, MCSE, Cisco Firewall specialist, VPN specialist, wannabe CCSP ;)
 
Upvote 0 Downvote
Hang on ... i've misunderstood the setup, sorry. I really must go to bed, not concentrating properly at the moment.

You'd need to include in the vpn config on both sides of the tunnel the ip range of the wan sites, and then also look at the ACLs on the wan interface to check there's nothing blocking their access out the outside interface. You'd also need to check that the ip ranges of the remote sites and the third party company don't overlap.

I think that might be enough ... although at the moment, i'm apparently not the most reliable judge

Off to bed

CCNA, MCSE, Cisco Firewall specialist, VPN specialist, wannabe CCSP ;)
 
Upvote 0 Downvote
I think I have an access list problem. I will post my config tonight if you guys wouldnt mind seeing if there is something I am missing
 
Upvote 0 Downvote
Here is my config:

interface ethernet0 100basetx
interface ethernet1 100full
interface ethernet2 100basetx
interface ethernet3 100basetx
interface ethernet4 auto shutdown
interface ethernet5 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 Wan security5
nameif ethernet3 DMZ security6
nameif ethernet4 intf4 security8
nameif ethernet5 Failover security50
hostname PIX1
domain-name *******
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723-1724
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 172.16.203.0 Remote1
name 172.16.205.0 Remote2
name 172.16.202.0 Remote3
name 172.16.204.0 Remote4
name 172.16.130.0 CLE-HOP
name 172.16.201.10 SERVER01
name 172.16.201.11 EXCHANGE01
name 172.16.201.9 InternetServer01
name 216.28.251.0 *****
name 11.11.0.0 WAN-CONNECTION
name 172.16.192.0 REMOTES
name 172.16.210.40 SERVER02
name 172.16.210.0 DMZSystems
name 172.16.0.0 tunneloffice
name 172.16.128.0 Local-Lan
object-group network REMOTE-OFFICES
network-object Remote3 255.255.255.0
network-object Remote1 255.255.255.0
network-object Remote4 255.255.255.0
network-object Remote2 255.255.255.0
access-list outside_access_in permit icmp any any echo-reply
access-list outside_access_in permit icmp any any unreachable
access-list outside_access_in permit tcp any host ***** eq pptp
access-list outside_access_in permit gre any host *********
access-list outside_access_in permit tcp any any eq 3389
access-list outside_access_in permit tcp any host ********** eq smtp
access-list outside_access_in permit tcp any host ************* eq www
access-list outside_access_in permit ip ***** 255.255.255.0 any
access-list outside_access_in permit tcp host 172.16.1.5 host InternetServer01 eq 135
access-list outside_access_in permit udp host 172.16.1.5 host InternetServer01 eq netbios-ns
access-list outside_access_in permit udp host 172.16.1.5 host InternetServer01 eq netbios-dgm
access-list outside_access_in permit tcp host 172.16.1.5 host InternetServer01 eq netbios-ssn
access-list outside_access_in permit tcp host 172.16.1.5 host InternetServer01 eq 42
access-list outside_access_in permit tcp host 172.16.1.5 host InternetServer01 eq ldap
access-list outside_access_in permit udp host 172.16.1.5 host InternetServer01 eq 389
access-list outside_access_in permit tcp host 172.16.1.5 host InternetServer01 eq ldaps
access-list outside_access_in permit tcp host 172.16.1.5 host InternetServer01 eq 3268
access-list outside_access_in permit tcp host 172.16.1.5 host InternetServer01 eq 3269
access-list outside_access_in permit tcp host 172.16.1.5 host InternetServer01 eq domain
access-list outside_access_in permit udp host 172.16.1.5 host InternetServer01 eq domain
access-list outside_access_in permit udp host 172.16.1.5 host InternetServer01 eq 88
access-list outside_access_in permit tcp host 172.16.1.5 host InternetServer01 eq 88
access-list outside_access_in permit tcp host 172.16.1.5 host InternetServer01 eq 445
access-list outside_access_in permit udp host 172.16.1.5 host InternetServer01 eq 1104
access-list outside_access_in permit tcp host 172.16.1.5 host InternetServer01 eq ident
access-list outside_access_in permit ip tunneloffice 255.255.128.0 WAN-CONNECTION 255.255.0.0
access-list inside_outbound_nat0_acl permit ip any ***** 255.255.255.0
access-list inside_outbound_nat0_acl permit ip REMOTES 255.255.192.0 CLE-HOP 255.255.255.0
access-list inside_outbound_nat0_acl permit ip REMOTES 255.255.192.0 ***** 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 172.16.201.0 255.255.255.0 WAN-CONNECTION 255.255.0.0
access-list inside_outbound_nat0_acl permit ip 172.16.201.0 255.255.255.0 REMOTES 255.255.192.0
access-list inside_outbound_nat0_acl permit ip 172.16.201.0 255.255.255.0 DMZSystems 255.255.255.0
access-list inside_outbound_nat0_acl permit ip Local-Lan 255.255.128.0 d 255.255.128.0
access-list outside_cryptomap_20 permit ip REMOTES 255.255.192.0 CLE-HOP 255.255.255.0
access-list inside_access_in permit gre host SERVER01 any
access-list inside_access_in permit ip 172.16.201.0 255.255.255.0 WAN-CONNECTION 255.255.0.0
access-list inside_access_in permit ip 172.16.201.0 255.255.255.0 REMOTES 255.255.192.0
access-list inside_access_in permit ip any any
access-list inside_access_in permit ip CLE-HOP 255.255.255.0 WAN-CONNECTION 255.255.0.0
access-list inside_access_in permit ip REMOTES 255.255.192.0 WAN-CONNECTION 255.255.0.0
access-list inside_access_in permit icmp any any echo
access-list inside_access_in permit icmp any any echo-reply
access-list outside_cryptomap_40 permit ip REMOTES 255.255.192.0 ***** 255.255.255.0
access-list Wan_inbound_nat0_acl permit ip WAN-CONNECTION 255.255.0.0 172.16.201.0 255.255.255.0
access-list Wan_inbound_nat0_acl permit ip REMOTES 255.255.192.0 172.16.201.0 255.255.255.0
access-list Wan_inbound_nat0_acl permit ip object-group REMOTE-OFFICES tunneloffice 255.255.128.0
access-list Wan_inbound_nat0_acl permit ip WAN-CONNECTION 255.255.0.0 tunneloffice 255.255.128.0
access-list Wan_access_in permit ip WAN-CONNECTION 255.255.0.0 172.16.201.0 255.255.255.0
access-list Wan_access_in permit ip REMOTES 255.255.192.0 172.16.201.0 255.255.255.0
access-list Wan_access_in permit tcp Remote2 255.255.255.0 any
access-list Wan_access_in permit ip any ***** 255.255.255.0
access-list Wan_access_in permit ip WAN-CONNECTION 255.255.0.0 REMOTES 255.255.192.0
access-list Wan_access_in permit ip WAN-CONNECTION 255.255.0.0 CLE-HOP 255.255.255.0
access-list Wan_access_in permit icmp any any echo
access-list Wan_access_in permit icmp any any echo-reply
access-list Wan_access_in permit ip WAN-CONNECTION 255.255.0.0 d 255.255.128.0
access-list DMZ_inbound_nat0_acl permit ip DMZSystems 255.255.255.0 172.16.201.0 255.255.255.0
access-list DMZ_access_in permit tcp host SERVER02 host EXCHANGE01 eq smtp
access-list DMZ_access_in permit tcp DMZSystems 255.255.255.0 any
access-list DMZ_access_in permit udp DMZSystems 255.255.255.0 any eq domain
access-list outside_inbound_nat0_acl permit ip ***** 255.255.255.0 d 255.255.0.0
access-list outside_inbound_nat0_acl permit ip ***** 255.255.255.0 object-group REMOTE-OFFICES
access-list outside_inbound_nat0_acl permit ip tunneloffice 255.255.128.0 object-group REMOTE-OFFICES
access-list outside_inbound_nat0_acl permit ip tunneloffice 255.255.128.0 WAN-CONNECTION 255.255.0.0
access-list homeremote-tunnel permit ip Local-Lan 255.255.128.0 tunneloffice 255.255.128.0
pager lines 24
logging on
mtu outside 1500
mtu inside 1500
mtu Wan 1500
mtu DMZ 1500
mtu intf4 1500
mtu Failover 1500
ip address outside *********** 255.255.255.248
ip address inside 172.16.201.6 255.255.255.0
ip address Wan 11.11.201.2 255.255.255.0
ip address DMZ 172.16.210.1 255.255.255.0
no ip address intf4
ip address Failover 172.16.129.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
failover
failover timeout 0:00:00
failover poll 15
failover replication http
failover ip address outside ************
failover ip address inside 172.16.201.253
failover ip address Wan 11.11.201.12
failover ip address DMZ 172.16.225.12
no failover ip address intf4
failover ip address Failover 172.16.129.12
failover link Failover
failover lan unit primary
failover lan interface Failover
failover lan key ********
failover lan enable
pdm location Remote3 255.255.255.0 Wan
pdm location Remote1 255.255.255.0 Wan
pdm location Remote4 255.255.255.0 Wan
pdm location Remote2 255.255.255.0 Wan
pdm location CLE-HOP 255.255.255.0 outside
pdm location CLE-HOP 255.255.255.0 inside
pdm location SERVER01 255.255.255.255 inside
pdm location InternetServer01 255.255.255.255 inside
pdm location EXCHANGE01 255.255.255.255 inside
pdm location REMOTES 255.255.192.0 inside
pdm location ***** 255.255.255.0 outside
pdm location WAN-CONNECTION 255.255.0.0 Wan
pdm location 11.11.202.0 255.255.255.0 Wan
pdm location REMOTES 255.255.192.0 Wan
pdm location 11.11.203.0 255.255.255.0 Wan
pdm location 11.11.204.0 255.255.255.0 Wan
pdm location 11.11.205.0 255.255.255.0 Wan
pdm location SERVER02 255.255.255.255 DMZ
pdm location Local-Lan 255.255.128.0 Wan
pdm location Local-Lan 255.255.255.224 inside
pdm location Local-Lan 255.255.255.0 inside
pdm location tunneloffice 255.255.0.0 inside
pdm location Local-Lan 255.255.128.0 inside
pdm location tunneloffice 255.255.128.0 outside
pdm location tunneloffice 255.255.128.0 inside
pdm location REMOTES 255.255.192.0 DMZ
pdm location InternetServer01 255.255.255.255 Wan
pdm location 172.16.1.5 255.255.255.255 outside
pdm location 172.16.1.5 255.255.255.255 inside
pdm location tunneloffice 255.255.128.0 Wan
pdm location WAN-CONNECTION 255.255.0.0 outside
pdm location WAN-CONNECTION 255.255.0.0 inside
pdm group REMOTE-OFFICES Wan
pdm logging notifications 100
pdm history enable
arp timeout 14400
global (outside) 10 interface
nat (outside) 0 access-list outside_inbound_nat0_acl outside
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 0 Local-Lan 255.255.255.0 0 0
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
nat (Wan) 0 access-list Wan_inbound_nat0_acl outside
nat (Wan) 10 Remote2 255.255.255.0 0 0
nat (Wan) 10 Local-Lan 255.255.128.0 0 0
nat (DMZ) 0 access-list DMZ_inbound_nat0_acl outside
nat (DMZ) 0 DMZSystems 255.255.255.0 0 0
static (inside,outside) ********* SERVER01 netmask 255.255.255.255 0 0
static (DMZ,outside) ******* SERVER02 netmask 255.255.255.255 0 0
static (inside,outside) ****** EXCHANGE01 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group Wan_access_in in interface Wan
access-group DMZ_access_in in interface DMZ
route outside 0.0.0.0 0.0.0.0 ************
route Wan 11.11.202.0 255.255.255.0 11.11.201.3 1
route Wan 11.11.203.0 255.255.255.0 11.11.201.3 1
route Wan 11.11.204.0 255.255.255.0 11.11.201.3 1
route Wan 11.11.205.0 255.255.255.0 11.11.201.3 1
route Wan REMOTES 255.255.192.0 11.11.201.3 1
route Wan Remote3 255.255.255.0 11.11.201.3 1
route Wan Remote1 255.255.255.0 11.11.201.3 1
route Wan Remote4 255.255.255.0 11.11.201.3 1
route Wan Remote2 255.255.255.0 11.11.201.3 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http tunneloffice 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set SET3 esp-des esp-md5-hmac
crypto ipsec transform-set scooter esp-des esp-sha-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer *********
crypto map outside_map 20 set transform-set ESP-DES-SHA
crypto map outside_map 40 ipsec-isakmp
crypto map outside_map 40 match address outside_cryptomap_40
crypto map outside_map 40 set peer ********
crypto map outside_map 40 set transform-set SET3
crypto map outside_map 60 ipsec-isakmp
crypto map outside_map 60 match address homeremote-tunnel
crypto map outside_map 60 set pfs group2
crypto map outside_map 60 set peer *******
crypto map outside_map 60 set transform-set scooter
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address ********* netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address ********* netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address ********* netmask 255.255.255.224
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash sha
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400
isakmp policy 40 authentication pre-share
isakmp policy 40 encryption des
isakmp policy 40 hash md5
isakmp policy 40 group 2
isakmp policy 40 lifetime 86400
isakmp policy 60 authentication pre-share
isakmp policy 60 encryption des
isakmp policy 60 hash sha
isakmp policy 60 group 2
isakmp policy 60 lifetime 28800
telnet Local-Lan 255.255.128.0 inside
telnet tunneloffice 255.255.0.0 inside
telnet timeout 5
ssh timeout 5
management-access inside
console timeout 0



Ok, basically I changed ips to protect my network in this config so the ips you see arent actually in production but the ranges and the subnets are the same.

My problem is this. I need the remote offices (remote1, remote2, remote3 etc..etc..) with networks 172.16.204.0 172.16.203.0 etc..etc.. to be able to get to the tunneloffice network (172.16.0.0 255.255.128.0).

All the remote sites come in through the WAN interface I know it is an access list problem but I dont know how to fix it. Any help would be great.

the access list which creates the tunnel between my locallan at the central office and the tunneloffice network permits 172.16.128.0 255.255.128.0 (local CO LAN) to 172.16.0.0 255.255.128.0 (tunneloffice LAN) with this range I know I am including the remote site lans to give them access as well. Please please help I am wrecking my brain over this. Thanks,

ProphetX
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
665
Sameer258
Sameer258
Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
582
Johnkite
Johnkite
intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
580
intel233
intel233
Tommy_T
  • Locked
  • Question
Sonic wall - Have an issue remotely connectioning VNC and SMB (and AFP) to one of the 2 ISP circuits
Replies
1
Views
510
nnaarrnn
nnaarrnn
ISDPCMAN
  • Locked
  • Question
RDP fails over VPN
Replies
1
Views
205
gkittelson
gkittelson

Part and Inventory Search

Sponsor

Back
Top