Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations biv343 on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

VPN Client Routing

Status
Not open for further replies.
JCDugas

JCDugas

MIS
Dec 26, 2001
270
US
I would like to be able to connect to servers in my other branch when I connect via VPN to my "Main" office. When I'm connected I can only browse my "Main" offices subnet.

Any ideas?

Configs are attached...

*******************************PIX*****************************

PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 100basetx
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
enable password ************ encrypted
passwd ************ encrypted
hostname gate
domain-name domain
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
no names
access-list 100 permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list 100 permit ip 192.168.20.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list 100 permit ip 192.168.30.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list 100 permit ip 192.168.1.0 255.255.255.0 192.168.60.0 255.255.255.0
access-list 100 permit ip 192.168.1.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list 100 permit ip 192.168.1.0 255.255.255.0 192.168.70.0 255.255.255.0
access-list 100 permit ip any 172.16.1.0 255.255.255.224
access-list 100 permit ip 192.168.1.0 255.255.255.0 192.168.30.0 255.255.255.0
access-list 100 permit ip 192.168.2.0 255.255.255.0 192.168.30.0 255.255.255.0
access-list outside_cryptomap_40 permit ip 192.168.1.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list outside_cryptomap_40 permit ip 192.168.2.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list acl_outside permit icmp any any
access-list acl_outside permit tcp any host X.X.X.2 eq smtp
access-list acl_outside permit tcp any host X.X.X.3 eq www
access-list acl_outside permit tcp any host X.X.X.3 eq https
access-list acl_outside permit tcp any host X.X.X.4 eq https
access-list acl_outside permit tcp any host X.X.X.5 eq https
access-list acl_outside permit tcp any host X.X.X.6 eq https
access-list acl_outside permit tcp any host X.X.X.8 eq 3389
access-list acl_outside permit tcp any host X.X.X.8 eq www
access-list acl_outside permit tcp any host X.X.X.8 eq https
access-list acl_outside permit tcp any host X.X.X.8 eq 444
access-list acl_outside permit tcp any host X.X.X.8 eq 989
access-list acl_outside permit tcp any host X.X.X.8 range 1120 1128
access-list dmz permit tcp host 192.168.2.21 host 192.168.1.27 eq smtp
access-list dmz permit tcp host 192.168.2.20 host 192.168.1.27 eq smtp
access-list dmz permit tcp host 192.168.2.21 host 192.168.1.22 eq 88
access-list dmz permit tcp host 192.168.2.21 host 192.168.1.23 eq 88
access-list dmz permit tcp host 192.168.2.21 host 192.168.1.24 eq 88
access-list dmz permit tcp host 192.168.2.21 host 192.168.1.36 eq https
access-list dmz permit tcp host 192.168.2.21 host 192.168.1.36 eq 442
access-list dmz permit tcp host 192.168.2.21 host 192.168.1.22 eq citrix-ica
access-list dmz permit tcp host 192.168.2.21 host 192.168.1.23 eq citrix-ica
access-list dmz permit tcp host 192.168.2.21 host 192.168.1.24 eq citrix-ica
access-list dmz permit tcp host 192.168.2.21 host 192.168.1.22 eq 442
access-list dmz permit tcp host 192.168.2.21 host 192.168.1.23 eq 442
access-list dmz permit tcp host 192.168.2.21 host 192.168.1.24 eq 442
access-list dmz permit tcp host 192.168.2.21 host 192.168.1.33 eq www
access-list dmz permit tcp host 192.168.2.21 host 192.168.1.151 eq ftp
access-list dmz deny ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.0.0
access-list dmz deny ip 192.168.2.0 255.255.255.0 10.0.0.0 255.0.0.0
access-list dmz deny icmp any any
access-list dmz permit ip 192.168.2.0 255.255.255.0 any
access-list outside_cryptomap_20 permit ip 192.168.1.0 255.255.255.0 192.168.60.0 255.255.255.0
access-list outside_cryptomap_dyn_20 permit ip any 172.16.1.0 255.255.255.224
access-list outside_cryptomap_dyn_20 permit ip 192.168.1.0 255.255.255.0 192.168.70.0 255.255.255.0
access-list 2DMZ permit ip 192.168.2.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list outside_cryptomap_30 permit ip 192.168.1.0 255.255.255.0 192.168.30.0 255.255.255.0
access-list outside_cryptomap_30 permit ip 192.168.2.0 255.255.255.0 192.168.30.0 255.255.255.0
access-list outside_cryptomap_30 permit ip 172.16.0.0 255.255.0.0 192.168.30.0 255.255.255.0
pager lines 24
logging on
logging timestamp
logging trap informational
logging history debugging
logging host inside 192.168.1.33
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside X.X.X.13 255.255.255.240
ip address inside 192.168.1.11 255.255.255.0
ip address dmz 192.168.2.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool VPN 172.16.1.1-172.16.1.25
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address dmz
pdm history enable
arp timeout 14400
global (outside) 1 55.55.55.55
nat (inside) 0 access-list 100
nat (inside) 1 192.168.0.0 255.255.0.0 0 0
nat (dmz) 0 access-list 2DMZ
nat (dmz) 1 192.168.2.0 255.255.255.0 0 0
static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 0 0
static (inside,dmz) 192.168.20.0 192.168.20.0 netmask 255.255.255.0 0 0
static (inside,dmz) 192.168.30.0 192.168.30.0 netmask 255.255.255.0 0 0
static (dmz,outside) X.X.X.2 192.168.2.20 netmask 255.255.255.255 0 0
static (dmz,outside) X.X.X.3 192.168.2.22 netmask 255.255.255.255 0 0
static (inside,outside) X.X.X.6 192.168.1.27 netmask 255.255.255.255 0 0
static (dmz,outside) X.X.X.7 192.168.2.15 netmask 255.255.255.255 0 0
static (dmz,outside) X.X.X.8 192.168.2.21 netmask 255.255.255.255 0 0
static (inside,outside) X.X.X.11 192.168.1.230 netmask 255.255.255.255 0 0
access-group acl_outside in interface outside
access-group dmz in interface dmz
route outside 0.0.0.0 0.0.0.0 X.X.X.1 1
route outside 172.16.10.0 255.255.255.0 192.168.1.225 1
timeout xlate 1:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host 192.168.1.26 *********** timeout 10
aaa-server LOCAL protocol local
ntp server 137.146.210.250 source outside prefer
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.20.0 255.255.255.0 inside
http 192.168.30.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt ipsec pl-compatible
sysopt noproxyarp inside
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer X.X.X.X
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 30 ipsec-isakmp
crypto map outside_map 30 match address outside_cryptomap_30
crypto map outside_map 30 set peer X.X.X.X
crypto map outside_map 30 set transform-set ESP-3DES-MD5
crypto map outside_map 40 ipsec-isakmp
crypto map outside_map 40 match address outside_cryptomap_40
crypto map outside_map 40 set peer X.X.X.X
crypto map outside_map 40 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication RADIUS
crypto map outside_map interface outside
isakmp enable outside
isakmp key ********* address X.X.X.X netmask 255.255.255.224 no-xauth no-config-mode
isakmp key ********* address X.X.X.X netmask 255.255.255.248 no-xauth no-config-mode
isakmp key ********* address X.X.X.X netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ********* address X.X.X.X netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup nelifevpn address-pool VPN
vpngroup nelifevpn dns-server 192.168.1.33 192.168.1.26
vpngroup nelifevpn default-domain domain
vpngroup nelifevpn idle-time 900
vpngroup nelifevpn password *********
telnet 192.168.0.0 255.255.0.0 inside
telnet timeout 15
ssh 192.168.0.0 255.255.0.0 inside
ssh timeout 5
management-access inside
console timeout 15
terminal width 80


******************************ROUTER 1*********************************************

!
version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Router1
!
logging buffered 20000 debugging
no logging on
enable secret 5 *********************
!
ip subnet-zero
!
!
no ip domain-lookup
!
!
class-map match-all voice-traffic
match access-group 101
!
!
policy-map llq
class voice-traffic
priority 100
class class-default
fair-queue
!
!
!
!
interface Ethernet0/0
description Connected to Switch
bandwidth 10000
ip address 192.168.1.1 255.255.255.0
no ip redirects
full-duplex
!
interface Serial0/0
no ip address
encapsulation frame-relay IETF
no ip mroute-cache
load-interval 30
no fair-queue
frame-relay traffic-shaping
frame-relay lmi-type ansi
!
interface Serial0/0.1 point-to-point
description connected to Router3
bandwidth 1544
ip address 10.0.30.1 255.255.255.0
frame-relay class Concord
frame-relay interface-dlci 18
!
interface Serial0/0.2 point-to-point
description connected to Branch2
bandwidth 1544
ip address 10.0.20.1 255.255.255.0
frame-relay class Portland
frame-relay interface-dlci 19
!
router eigrp 10
network 10.0.0.0
network 192.168.1.0
auto-summary
no eigrp log-neighbor-changes
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.1.11
ip route 172.16.10.0 255.255.255.0 192.168.1.225
no ip http server
ip pim bidir-enable
!
!
map-class frame-relay Router3
no frame-relay adaptive-shaping
frame-relay cir 512000
frame-relay bc 5120
frame-relay be 0
frame-relay mincir 512000
service-policy output llq
!
map-class frame-relay Router2
no frame-relay adaptive-shaping
frame-relay cir 512000
frame-relay bc 5120
frame-relay be 0
frame-relay mincir 512000
service-policy output llq
no logging trap
access-list 101 permit ip host 192.168.1.100 host 192.168.20.100
access-list 101 permit ip host 192.168.20.100 host 192.168.1.100
access-list 101 permit ip host 192.168.1.100 host 192.168.30.100
access-list 101 permit ip host 192.168.30.100 host 192.168.1.100
snmp-server engineID local *********************
snmp-server community public RO
snmp-server community relish RW
snmp-server enable traps tty
!
line con 0
exec-timeout 0 0
password 7 *********************
login
line aux 0
line vty 0 4
timeout login response 0
password 7 *********************
login
!
end


******************************ROUTER 2*********************************************
!
version 12.2
service config
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Router2
!
enable secret 5 *********************
!
memory-size iomem 25
ip subnet-zero
no ip domain-lookup
!
!
class-map match-all voice-traffic
match access-group 101
!
!
policy-map llq
class voice-traffic
priority 100
class class-default
fair-queue
!
!
!
!
interface FastEthernet0
description connected to Switch
ip address 192.168.20.1 255.255.255.0
no ip redirects
speed auto
!
interface Serial0
bandwidth 1544
no ip address
encapsulation frame-relay IETF
load-interval 30
service-module t1 timeslots 1-24
frame-relay lmi-type ansi
!
interface Serial0.1 point-to-point
description connected to Router1
bandwidth 1544
ip address 10.0.20.2 255.255.255.0
frame-relay class Router2
frame-relay interface-dlci 16
!
router eigrp 10
network 10.0.0.0
network 192.168.20.0
auto-summary
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.20.11
ip route 172.16.1.0 255.255.255.0 10.0.20.1
ip route 192.168.30.0 255.255.255.0 192.168.20.11
no ip http server
!
!
map-class frame-relay Router2
no frame-relay adaptive-shaping
frame-relay cir 512000
frame-relay bc 5120
frame-relay be 0
frame-relay mincir 512000
service-policy output llq
frame-relay fragment 800
access-list 101 permit ip host 192.168.1.100 host 192.168.20.100
access-list 101 permit ip host 192.168.20.100 host 192.168.1.100
snmp-server community public RO
snmp-server enable traps tty
!
line con 0
exec-timeout 0 0
password 7 *********************
login
line aux 0
line vty 0 4
password 7 *********************
login
!
end



Jeremy
 
Status
Not open for further replies.

Similar threads

intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
672
intel233
intel233
ISDPCMAN
  • Locked
  • Question
RDP fails over VPN
Replies
1
Views
244
gkittelson
gkittelson
Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
819
Shmid
Shmid
WhosYourDiffie
  • Locked
  • Question
Cisco ASA 5506 VPN for Avaya Phones
Replies
0
Views
197
WhosYourDiffie
WhosYourDiffie
Russtoleum
  • Locked
  • Question
Windows client can't connect to sonicwall l2tp server
Replies
0
Views
159
Russtoleum
Russtoleum

Part and Inventory Search

Sponsor

Back
Top