Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Westi on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

PIX to PIX VPN

Status
Not open for further replies.
kcb5

kcb5

MIS
Jun 26, 2003
2
US
Hello...

I have a Pix to Pix vpn set up with a client that has been working fine. It protects any traffic originating from my external address (216.115.133.15) that is destined to the external address of the machine at the client's site (214.66.40.15). Now I've been asked to allow other traffic to pass through the same tunnel from our other external addresses to an internal address (10.1.1.x) at the client's site. Should I simply be able to add an access-list statement for this to work?

Orininal:
access-list 100 permit ip host 216.115.133.15 host 214.66.40.15

New statement (?):
access-list 100 permit ip 216.115.134.0 255.255.255.0 host 10.1.1.10

I've tried this and it has not worked. Is there an issue with the internal ip? Do I need a route statement or something? The client has no public ip's available and cannot use port redirection because they haven't upgraded to 6.0 yet.


Thanks for any help!

kc
 
Sort by date Sort by votes
Okay - if I understand correctly - the new address space -
10.1.1.x is behind the same firewall as your existing vpn
partner - 214.66.40.15. You want this 10.1.1.x address
space to see your inside private network - this you didn't
specify -

if that is the case you should be able to do

access-list 130 permit ip your.inside.network.xxx 255.255.255.0 10.1.1.0 255.255.255.0
crypto map yourmapname 10 match address 130
(gets added just before you set the peer address, in your
firewall, to 214.66.40.15, in your crypto map settings.)

This tells the PIX to PIX VPN what private address space to allow from your inside network to theirs.

Oh - and if you have any RFC1918 blocking access lists,
you may need to modify the one for your inside network as follows:

access-list inside_in permit ip any 10.1.1.0 255.255.255.0
access-list inside_in deny ip any 10.0.0.0 255.0.0.0

"If you lived here, you'd be home by now!"

George Carlin
 
Upvote 0 Downvote
The new address is behind the same firewall as my existing vpn partner. I don't want them to be able to see my inside network...I just need to be able to get to this particular private address (10.1.1.10) just like i'm already getting to another machine (214.66.40.15) on their side (but i'm using the public address of this other machine).

I'll try to post config later if that would help.

Thanks for your help
 
Upvote 0 Downvote
!--- This command tells the PIX not to NAT any traffic
!--- deemed interesting for IPSec.

nat (inside) 0 access-list 130

<if using that 130 ids's> from hawknwak
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
776
Sameer258
Sameer258
Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
642
Johnkite
Johnkite
intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
643
intel233
intel233
ISDPCMAN
  • Locked
  • Question
RDP fails over VPN
Replies
1
Views
229
gkittelson
gkittelson
Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
788
Shmid
Shmid

Part and Inventory Search

Sponsor

Back
Top