Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Pix VPN multiple networks

Status
Not open for further replies.
Guest_imported

Guest_imported

New member
Jan 1, 1970
0
Peeps

Pls can you answer a ? for me. I've installed a Pix and have it connecting to our firewall at another office via vpn. This seems to working nicely. However, there is another network connected at the vpn site which I cannot connect to across the vpn. Any ideas as I have been playing around with access-list and also adding route's.
 
Sort by date Sort by votes
HI.

You will need to provide much more details to get better answers.

The are probably needed configurations thet should be applied to your local pix, the remote fw, and maybe at the remote internal router as well.

At the pix you should add the in-accessible subnet to the access-list that defines the traffic that should be VPNed, and to the access-list used for NAT 0 if it is a different ACL .

At the remote firewall (is it another pix??) you need to also check access-lists.

At the remote internal router you probably do not need modifications, but this should be verified agains its routing configuration.

Bye
Yizhar Hurwitz
 
Upvote 0 Downvote
Yizhar

Thanks for the input. Sorry I didn't leave more information.
At the moment, We have a Pix connecting to a Watchguard Firebox via vpn. The vpn is working fine as we can see each others networks. However, like I say we have another network connected at the firebox side. Lets say the private IP of the network we cannot see from the pix is 192.168.4.0/24. I've added some access lists as followed.
access-list 101 permit 192.168.4.0 255.255.255.0 10.11.0.0 255.255
access-list 101 permit 10.11.0.0 255.255.0.0 192.168.4.0 255.255.255.0
Is this correct???
What do I have to do now? You say I have to add a NAT.
This is the NAT I have in place.
NAT inside 0 access-list 101

Is this correct??

Thanks in advance!!
 
Upvote 0 Downvote
HI.

I will assume the following network

10.11.0.0/24 subnet
pix
internet
firebox
192.168.1.0/24
router
192.168.4.0/24

In that case, here is partial config of the pix,
BUT THE FIREBOX CONFIGURATION MUST ALSO BE CHECKED!

access-list 101 permit ip 10.11.0.0 255.255.0.0 192.168.1.0 255.255.255.0
access-list 101 permit ip 10.11.0.0 255.255.0.0 192.168.4.0 255.255.255.0
nat 0 access-list 101
crypto map mymap XXX match address 101

There is no need for the reverse access-list if you are using "sysopt connection permit ipsec".
If you are not using this command, then you need to adjust the access-list that is bound to the pix outside interface.

Bye
Yizhar Hurwitz
 
Upvote 0 Downvote
Peeps, It cannot be done.

The Pix is not a router and by the nature of IPSEC, it can only respond to the packet. I actually tried allowing a VPN Client to VPN into the PIX for the purposes of accessing another network that was attatched to the pix via a VPN. I could not get it to work so I opened up a case with TAC. The person I spoke with said it could not be done--at least with the pix.

You need to nail up a direct connection between your site and the remote site. In essence, creating a triangle VPN topology.

Iota
 
Upvote 0 Downvote
OK

V confused.

Lets start again
pix> 10.11.0.0/16
|
VPN
|
Firebox 192.168.1.0/24
|
Leased line with router
|
192.168.4.0/24

From the pix I cannot see the 192.168.4.0 network and cannot see it backwards either.
I understand the pix isn't a router, what should be my next step to getting the 10.11.0.0 and the 192.168.4.0 to see each other??

Yizhar is this possible with the instructions you gave me?

Iota how do u mean a triangle vpn. Do you mean create a tunnel for the 192.168.4.0 traffic also??



The Inspector
 
Upvote 0 Downvote
Yizhar is right, as usual! You have to look at the config on the other firewall.

Just to raise a point regarding Iota, there should be nothing stoping you from seeing the 192.168 from the VPN connection if the correct routes are set up. When you log into a network via VPN you become, in effect a local user. Firewall are not routers but static routes can be added to point them in the right direction. ie. the next hop router or firewall. To see the 192.168 network from the VPN the Firebox need to know where the 192.168 is!

Good luck with this!

Chris.
************************
Chris Andrew, CCNA
chrisac@gmx.co.uk
************************
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
586
intel233
intel233
ISDPCMAN
  • Locked
  • Question
RDP fails over VPN
Replies
1
Views
207
gkittelson
gkittelson
Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
724
Shmid
Shmid
WhosYourDiffie
  • Locked
  • Question
Cisco ASA 5506 VPN for Avaya Phones
Replies
0
Views
160
WhosYourDiffie
WhosYourDiffie
ITSUPPORTIT
  • Locked
  • Question
VPN from ASA 5510 and RV215W problem
Replies
0
Views
140
ITSUPPORTIT
ITSUPPORTIT

Part and Inventory Search

Sponsor

Back
Top