multiple VPN channels - mobile user access issues 1

[julianmd]

Here is my setup:

4 sites
3 sites with pix 505 (workgroup + dhcp + wins)
1 site with 515 (A) (nt4 domain + dhcp + wins)


A
***
* * *
* * *
B * C
* * *
* * *
D
All of them are VPN connected as above.
===========================================================
Situation:

Mobile user "Z" dials-up to the ISP, and the with the Cisco VPN client connects to - A - where is auth on the domain.

Can ping the local hosts, cannot ping remote hosts, can telnet to the unix server, and from within the shell can telnet to the remote network - D -.

===========================================================

Same mobile user "Z" dials-up to the ISP, and the with the Cisco VPN client connects to - D - (no domain auth)

Can ping the local hosts, cannot ping the remote hosts - A -, CANNOT telnet to the unix machine.

============================================================
Qustions:

How can I make the mobile vpn user to be able to access the other sites through the pix vpns?
Why I cannot telnet locally, even though no restrictions are imposed on the unix machine.

Any information would be greatly appreciated!

Julian Dragut

 

[Evilnoodle]

What IP pools have you got setup for the 4 sites and do each of the 4 pix's have access-list to allow the ippool traffic to traverse the diffrent VPN.

May be barking up the wrong tree but worth a look.

 

[lgarner]

Pix will not allow traffic coming in on an interface to go out via the same interface. I have the same issue. To do what you want the Pix would need to accept the client's vpn traffic via the outside interface, then route it back out the same interface to contact the remote Pix. Won't work.

You can add another vpn device, or possibly subnet your internet LAN and get creative with static routes for the VPN (you'll need the roaming clients to connect via the Pix's default route).

The only part I'm not clear on is "the Unix machine". Is there only one at site A, or is there one at each site?

 

[julianmd]

The Unix boxes in each site

I have 192.168.254.0-10 mask 255.255.255.240 ipvpnpool

and I think I have this

access-list outside permit ip 192.168.254.0 255.255.255.240 192.168.0.0 255.255.255.0 (res: 192.168.1.0, 2.0 , 3.0 so on)

I simplified the schema, because what I'bve got here's a mess
I have just been hired to this company to do a major upgrade from NT4 to W2k (AD + stuff)

Not very experienced with PIX, so any help would be like gold.
Appreciated guys!

 

[lgarner]

OK, as I read this, you have 192.168.1.0, 192.168.2.0, 192.168.3.0, etc. for the LAN segments inside site D, right?

If that's the case, your access list needs to be changed. Currently it will only allow inbound access to 192.168.0.0/24. (192.168.0.0-192.168.0.254). Try changing it to "permit ip 192.168.254.0 255.255.255.240 192.1268.0.0 255.255.248.0, or reduce the 3rd octet in the destination further, if needed.

You'll also want to ensure that inside traffic destined for the client VPN is part of "nat 0":

access-list no_nat permit ip 192.168.0.0 255.255.248.0 192.168.254.0 255.255.255.240
nat (inside) 0 access-list no_nat

 

[julianmd]

That's it!
The remote users can access the unix boxes now.
They are not able to browse the net or access other sites, but it is good how it is for now.(cannot exit on the same if you entered - right?)
Highly appreciated
Thanks alot.

 

[lgarner]

Glad it helped.

Browsing the net can be done if you enable split-tunnel. Then only corporate traffic is encrypted through the VPN and all other traffic goes from the client directly to the net. There's some controversy over this, since a vulnerable computer could potentially act as a gateway to your corporate lan. Personally, I think the bigger risk is someone who downloads all sorts of trojans to their computer and then connects the VPN.