Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

PIX 515 VPN and 2620 internal routing

Status
Not open for further replies.
kees7

kees7

Technical User
Aug 11, 2002
14
NL
We have a Cisco PIX 515 with IPSEC VPN between our LAN and the internet. In our LAN we have a 2620 Cisco router which connect our LAN with our other offices. In our LAN the default gateway is the 2620 router. The default gateway on the 2620 is the PIX 515. When we make a VPN connection, client or pix-2-pix, I can access our LAN but I can't access the other offices. How can I give the VPN client or the other pix access to the other offices. Please help.
 
Sort by date Sort by votes
You'll need to add static routes to the Cisco Pix for each of the networks located behind the router with the Cisco 2600 router as the next hop to reach those subnets. You'll need to add acl entries to the match list for VPN traffic to include traffic from VPN clients to these networks. If the Cisco 2600 router is the default router for these remote lan's, then you won't need to add a static route (on the router) for the VPN pool subnet pointing to the Pix as the next hop because the default route in the Cisco 2600 router will suffice.
 
Upvote 0 Downvote
I've the following config in my pix515. I have two problems. The first is that the inside users can't connect to the internet (most of the time, very strange) and our mail server can't connect to the internet( this has started since I added the VPN lines). When I remove them everything is working fine. Second, when I make a vpn connection I can only access our inside 92.0.0.0 network and not the networks (93.0.0.0 etc..)who are connected through the 2620 router. The default gateway is the 2620 in our network. The default gateway on the 2620 is the PIX 515. Please help.

mail server ip = 92.0.0.6
mail proxy server ip on dmz = 192.168.52.2
surfbox server ip = 92.0.0.44
2620 ip = 92.0.0.254

Kees

PIX 515 config
-----------------
PIX Version 6.1(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
enable password qfXK8xKDg7yGRemd encrypted
passwd qfXK8xKDg7yGRemd encrypted
hostname firewall
domain-name xxxxxxxx.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
names
access-list outside_access_in permit icmp any any
access-list outside_access_in permit tcp any host xxx.xxx.xxx.90 eq smtp
access-list outside_access_in permit tcp any host xxx.xxx.xxx.90 eq pop3
access-list outside_access_in permit tcp any host xxx.xxx.xxx.90 eq 143
access-list dmz_access_in permit tcp any host 92.0.0.6 eq smtp
access-list dmz_access_in permit tcp any host 92.0.0.6 eq pop3
access-list dmz_access_in permit tcp any host 92.0.0.6 eq 143
access-list 101 permit ip 92.0.0.0 255.0.0.0 192.168.49.0 255.255.255.0
access-list 101 permit tcp 92.0.0.0 255.0.0.0 192.168.49.0 255.255.255.0
access-list 101 permit icmp 92.0.0.0 255.0.0.0 192.168.49.0 255.255.255.0
access-list 101 permit udp 92.0.0.0 255.0.0.0 192.168.49.0 255.255.255.0
access-list 101 permit tcp 92.0.0.0 255.0.0.0 92.0.3.0 255.255.255.0
access-list 101 permit icmp 92.0.0.0 255.0.0.0 92.0.3.0 255.255.255.0
access-list 101 permit udp 92.0.0.0 255.0.0.0 92.0.3.0 255.255.255.0
access-list 101 permit ip 93.0.0.0 255.255.255.0 92.0.3.0 255.255.255.0
access-list 101 permit tcp 93.0.0.0 255.255.255.0 92.0.3.0 255.255.255.0
access-list 101 permit icmp 93.0.0.0 255.255.255.0 92.0.3.0 255.255.255.0
access-list 101 permit udp 93.0.0.0 255.255.255.0 92.0.3.0 255.255.255.0
access-list inside_access_in permit icmp any any
access-list inside_access_in permit ip host 92.0.0.222 any
access-list inside_access_in permit tcp host 92.0.0.222 any
access-list inside_access_in permit tcp host 92.0.0.161 any
access-list inside_access_in permit udp host 92.0.0.222 any
access-list inside_access_in permit ip host 92.0.0.5 any
access-list inside_access_in permit tcp host 92.0.0.5 any
access-list inside_access_in permit udp host 92.0.0.5 any
access-list inside_access_in permit ip host 92.0.0.6 any
access-list inside_access_in permit tcp host 92.0.0.6 any
access-list inside_access_in permit tcp host 92.0.0.6 any
access-list inside_access_in permit udp host 92.0.0.6 any
access-list inside_access_in permit ip host 92.0.0.13 any
access-list inside_access_in permit tcp host 92.0.0.13 any
access-list inside_access_in permit udp host 92.0.0.13 any
access-list inside_access_in permit ip host 92.0.0.44 any
access-list inside_access_in permit tcp host 92.0.0.44 any
access-list inside_access_in permit udp host 92.0.0.44 any
access-list inside_access_in permit ip host 92.0.0.80 any
access-list inside_access_in permit tcp host 92.0.0.80 any
access-list inside_access_in permit udp host 92.0.0.80 any
access-list inside_access_in permit ip host 92.0.0.237 any
access-list inside_access_in permit tcp host 92.0.0.237 any
access-list inside_access_in permit udp host 92.0.0.237 any
access-list inside_access_in permit ip host 92.0.0.248 any
access-list inside_access_in permit tcp host 92.0.0.248 any
access-list inside_access_in permit udp host 92.0.0.248 any
access-list inside_access_in permit ip host 95.0.111.1 any
access-list inside_access_in permit tcp host 95.0.111.1 any
access-list inside_access_in permit udp host 95.0.111.1 any
access-list inside_access_in permit udp host 92.0.0.161 any
access-list inside_access_in permit ip host 92.0.0.161 any
access-list nonat permit ip 92.0.0.0 255.0.0.0 192.168.49.0 255.255.255.0
access-list nonat permit tcp 92.0.0.0 255.0.0.0 192.168.49.0 255.255.255.0
access-list nonat permit icmp 92.0.0.0 255.0.0.0 192.168.49.0 255.255.255.0
access-list nonat permit icmp 92.0.0.0 255.0.0.0 192.168.49.0 255.255.255.0
access-list nonat permit udp 92.0.0.0 255.0.0.0 192.168.49.0 255.255.255.0
access-list nonat permit ip 92.0.0.0 255.0.0.0 92.0.3.0 255.255.255.0
access-list nonat permit tcp 92.0.0.0 255.0.0.0 92.0.3.0 255.255.255.0
access-list nonat permit icmp 92.0.0.0 255.0.0.0 92.0.3.0 255.255.255.0
access-list nonat permit udp 92.0.0.0 255.0.0.0 92.0.3.0 255.255.255.0
access-list nonat permit ip 92.0.0.0 255.255.255.0 80.0.0.0 255.0.0.0
access-list nonat permit icmp 92.0.0.0 255.255.255.0 80.0.0.0 255.0.0.0
access-list nonat permit ip 92.0.0.0 255.255.255.0 195.0.0.0 255.0.0.0
access-list nonat permit icmp 92.0.0.0 255.255.255.0 195.0.0.0 255.0.0.0
access-list nonat permit ip 93.0.0.0 255.255.255.0 92.0.3.0 255.255.255.0
access-list nonat permit tcp 93.0.0.0 255.255.255.0 92.0.3.0 255.255.255.0
access-list nonat permit icmp 93.0.0.0 255.255.255.0 92.0.3.0 255.255.255.0
access-list nonat permit udp 93.0.0.0 255.255.255.0 92.0.3.0 255.255.255.0
access-list nonat permit ip 93.0.0.0 255.255.255.0 80.0.0.0 255.0.0.0
access-list nonat permit icmp 93.0.0.0 255.255.255.0 80.0.0.0 255.0.0.0
access-list nonat permit icmp 93.0.0.0 255.255.255.0 195.0.0.0 255.0.0.0
access-list nonat permit ip 93.0.0.0 255.255.255.0 195.0.0.0 255.0.0.0
pager lines 24
logging on
logging monitor debugging
logging trap warnings
logging history warnings
logging host inside 92.0.0.8
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside xxx.xxx.xxx.91 255.255.255.248
ip address inside 92.0.0.90 255.0.0.0
ip address dmz 192.168.52.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool bigpool 92.0.3.1-92.0.3.150
pdm logging debugging 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
global (dmz) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
alias (inside) xxx.xxx.xxx.90 192.168.52.2 255.255.255.255
static (dmz,outside) xxx.xxx.xxx.90 192.168.52.2 netmask 255.255.255.255 0 0
static (inside,dmz) 92.0.0.0 92.0.0.0 netmask 255.0.0.0 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group dmz_access_in in interface dmz
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.89 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server AuthIn protocol tacacs+
aaa-server AuthIn (inside) host 92.0.0.44 ********** timeout 10
aaa authentication telnet console AuthIn
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server inside 92.0.0.161 /pixfirewall
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp
crypto map mymap 10 match address 101
crypto map mymap 10 set peer YYY.YYY.YYY.149
crypto map mymap 10 set transform-set myset
crypto map mymap 20 ipsec-isakmp dynamic dynmap
crypto map mymap client authentication AuthIn
crypto map mymap interface outside
isakmp enable outside
isakmp key ******** address YYY.YYY.YYY.149 netmask 255.255.255.255
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup vpn3000 address-pool bigpool
vpngroup vpn3000 idle-time 1800
telnet 92.0.0.5 255.255.255.255 inside
telnet 92.0.0.161 255.255.255.255 inside
telnet 92.0.0.13 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
terminal width 80
firewall#


other PIX config (VPN ipsec)
------------------------------
PIX Version 6.1(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list smtp permit tcp any host 192.168.49.6 eq smtp
access-list 101 permit ip 192.168.49.0 255.255.255.0 92.0.0.0 255.0.0.0
access-list 101 permit icmp 192.168.49.0 255.255.255.0 92.0.0.0 255.0.0.0
access-list 101 permit udp 192.168.49.0 255.255.255.0 92.0.0.0 255.0.0.0
access-list 101 permit tcp 192.168.49.0 255.255.255.0 92.0.0.0 255.0.0.0
access-list nonat permit ip 192.168.49.0 255.255.255.0 92.0.0.0 255.255.255.0
pager lines 24
logging on
logging console debugging
interface ethernet0 10baset
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside ttt.ttt.ttt.149 255.255.255.248
ip address inside 192.168.49.3 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group smtp in interface outside
route outside 0.0.0.0 0.0.0.0 rrr.rrr.rrr.150 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto map mymap 10 ipsec-isakmp
crypto map mymap 10 match address 101
crypto map mymap 10 set peer xxx.xxx.xxx.91
crypto map mymap 10 set transform-set myset
crypto map mymap interface outside
isakmp enable outside
isakmp key ******** address xxx.xxx.xxx.91 netmask 255.255.255.255
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 3000
telnet 192.168.49.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
terminal width 80
pixfirewall(config)#

 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
290
Sameer258
Sameer258
intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
299
intel233
intel233
ISDPCMAN
  • Locked
  • Question
RDP fails over VPN
Replies
1
Views
128
gkittelson
gkittelson
Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
367
Shmid
Shmid
WhosYourDiffie
  • Locked
  • Question
Cisco ASA 5506 VPN for Avaya Phones
Replies
0
Views
89
WhosYourDiffie
WhosYourDiffie

Part and Inventory Search

Sponsor

Back
Top