1 Reply Latest reply: Nov 27, 2008 9:10 PM by B Haines RSS

    VPN Routing troubles

    KenWood_MD

       

      I need some guidance please.

       

       

      I have a CISCO PIX 501 set up on a subnet off my main router with a site to site VPN Tunnel to another location in the country. I also have several systems behind the PIX. I spoke with several engineers about allowing VPN clients to connect to the pix to allow them access to the systems behind the pix, access through the tunnel and do a hairpin back out the interface from where they came for internet access. I have been told by my security people that a split tunnel is not allowed. The PIX 501 does not have the capability to run the command "same-security-traffic permit intra-interface" so I needed to set up a different way to allow remote users to access my subnet behind the pix and access the tunnel on the pix to satellite location. I set up a CISCO 1721 route with the IOS "C1700 Software (C1700-K9O3SY7-M), Version 12.3(26), RELEASE SOFTWARE (fc2)". This router connected to a different subnet off my main router. The VPN is set up and the users are able to log in to the site, gain access to the systems inside and I added a route statement directing them to the PIX to traverse the tunnel. The two problems now are this:

       

      • 1. The 1721 also does not recognize the command "same-security-traffic permit intra-interface" so without the split tunnel, I have not been able to successfully route internet access out the pix.

      • 2. The VPN connection does not respond with the correct subnet mask or default gateway for the remote users. This causes only a few to not be able to get access to the pix subnet or the tunnel.

       

      I also do not have the option of getting a VPN concentrator or upgrade my PIX. I am stuck with the equipment I have. Does anyone have any suggestions on how to allow the users to surf the internet through the PIX when they have com on the VPN from the 1721 and how do I get the VPN Clients to get the correct default gateway and subnet mask once they connect.

       

       

       

       

       

      Abbreviated PIX config

       

       

      PIX Version 6.3(5)

       

       

      interface ethernet0 auto

       

       

      interface ethernet1 100full

       

       

      nameif ethernet0 outside security0

       

       

      nameif ethernet1 inside security100

       

       

      names

       

       

      name 10.20.10.0 inside

       

       

      name 172.16.1.220 REMOTE_SYS2

       

       

      name 172.16.1.154 REMOTE_SYS1

       

       

      name 172.16.1.228 REMOTE_SYS4

       

       

      name 10.20.10.20 Local_Sys_DNS

       

       

      name 206.135.25.100 REMOTE_Tunnel_Host

       

       

      object-group network REMOTE_ACCESS

       

       

      description Access through tunnel to REMOTE

       

       

      network-object REMOTE_SYS1 255.255.255.255

       

       

      network-object REMOTE_SYS4 255.255.255.255

       

       

      network-object REMOTE_SYS2 255.255.255.255

       

       

      access-list inside_access_in permit ip any any

       

       

      access-list outside_access_in permit icmp any any echo-reply

       

       

      access-list outside_access_in permit icmp any any echo

       

       

      access-list outside_access_in permit icmp any any time-exceeded

       

       

      access-list outside_access_in permit icmp any any traceroute

       

       

      access-list 101 permit ip inside 255.255.255.0 object-group NGIT_ACCESS

       

       

      pager lines 24

       

       

      mtu outside 1500

       

       

      mtu inside 1500

       

       

      ip address outside 67.133.238.130 255.255.255.224

       

       

      ip address inside 10.20.10.1 255.255.255.0

       

       

      ip verify reverse-path interface outside

       

       

      ip verify reverse-path interface inside

       

       

      ip audit info action alarm

       

       

      ip audit attack action alarm

       

       

      pdm location inside 255.255.255.0 inside

       

       

      pdm location REMOTE_SYS1 255.255.255.255 outside

       

       

      pdm location REMOTE_SYS2 255.255.255.255 outside

       

       

      pdm location REMOTE_SYS4 255.255.255.255 outside

       

       

      pdm location REMOTE_Tunnel_Host 255.255.255.255 outside

       

       

      pdm location Local_Sys_DNS 255.255.255.255 inside

       

       

      pdm logging informational 100

       

       

      pdm history enable

       

       

      arp timeout 14400

       

       

      global (outside) 1 interface

       

       

      nat (inside) 0 access-list 101

       

       

      nat (inside) 1 0.0.0.0 0.0.0.0 0 0

       

       

      static (inside,outside) 67.133.238.142 Local_Sys_DNS netmask 255.255.255.255 0 0

       

       

      access-group outside_access_in in interface outside

       

       

      access-group inside_access_in in interface inside

       

       

      route outside 0.0.0.0 0.0.0.0 216.127.134.129 1

       

       

      timeout xlate 0:05:00

       

       

      timeout conn 0:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

       

       

      timeout h323 0:05:00 mgcp 0:00:00 sip 0:30:00 sip_media 0:00:00

       

       

      timeout sip-disconnect 0:02:00 sip-invite 0:03:00

       

       

      timeout uauth 0:00:00 absolute

       

       

      sysopt connection permit-ipsec

       

       

      crypto ipsec transform-set My_Local esp-3des esp-md5-hmac

       

       

      crypto map My_Local 10 ipsec-isakmp

       

       

      crypto map My_Local 10 match address 101

       

       

      crypto map My_Local 10 set peer REMOTE_Tunnel_Host

       

       

      crypto map My_Local 10 set transform-set My_Local

       

       

      crypto map My_Local interface outside

       

       

      isakmp enable outside

       

       

      isakmp key ******** address REMOTE_Tunnel_Host netmask 255.255.255.255

       

       

      isakmp identity address

       

       

      isakmp policy 10 authentication pre-share

       

       

      isakmp policy 10 encryption 3des

       

       

      isakmp policy 10 hash md5

       

       

      isakmp policy 10 group 2

       

       

      isakmp policy 10 lifetime 86400

       

       

      ssh inside 255.255.255.0 inside

       

       

      ssh timeout 15

       

       

      management-access inside

       

       

      console timeout 0

       

       

      vpdn enable outside

       

       

      dhcpd address 10.20.10.120-10.20.10.149 inside

       

       

      dhcpd dns Local_Sys_DNS

       

       

      dhcpd lease 3600

       

       

      dhcpd ping_timeout 750

       

       

      dhcpd domain my.domain.org

       

       

      dhcpd enable inside

       

       

      terminal width 80

       

       

       

       

       

      Abbreviated 1721 config

       

       

       

       

       

      version 12.3

       

       

      service timestamps debug datetime msec

       

       

      service timestamps log datetime msec

       

       

       

       

       

      mmi polling-interval 60

       

       

      no mmi auto-configure

       

       

      no mmi pvc

       

       

      mmi snmp-timeout 180

       

       

      aaa new-model

       

       

      !

       

       

       

       

       

      aaa authentication login sdm_vpn_xauth_ml_1 local

       

       

      aaa authorization network sdm_vpn_group_ml_1 local

       

       

      aaa session-id common

       

       

      ip subnet-zero

       

       

      !

       

       

       

       

       

      no ip domain lookup

       

       

      ip domain name my.domain.org

       

       

      !

       

       

      ip cef

       

       

      ip inspect name SDM_LOW cuseeme

       

       

      ip inspect name SDM_LOW ftp

       

       

      ip inspect name SDM_LOW h323

       

       

      ip inspect name SDM_LOW icmp

       

       

      ip inspect name SDM_LOW netshow

       

       

      ip inspect name SDM_LOW rcmd

       

       

      ip inspect name SDM_LOW realaudio

       

       

      ip inspect name SDM_LOW rtsp

       

       

      ip inspect name SDM_LOW sqlnet

       

       

      ip inspect name SDM_LOW streamworks

       

       

      ip inspect name SDM_LOW tftp

       

       

      ip inspect name SDM_LOW tcp

       

       

      ip inspect name SDM_LOW udp

       

       

      ip inspect name SDM_LOW vdolive

       

       

      ip audit po max-events 100

       

       

       

       

       

      !

       

       

      {usernames and pw for local authentication for VPN}

       

       

       

       

       

      !

       

       

      ip ssh authentication-retries 2

       

       

       

       

       

      !

       

       

      crypto isakmp policy 1

       

       

      encr 3des

       

       

      group 2

       

       

       

       

       

      crypto isakmp policy 2

       

       

      encr 3des

       

       

      authentication pre-share

       

       

      group 2

       

       

      crypto isakmp xauth timeout 15

       

       

       

       

       

      !

       

       

      crypto isakmp client configuration group MYVPN

       

       

      key ***********

       

       

      dns 10.20.10.20

       

       

      domain my.domain.org

       

       

      pool SDM_POOL_1

       

       

       

       

       

      !

       

       

      crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

       

       

       

       

       

      crypto dynamic-map SDM_DYNMAP_1 1

       

       

      set transform-set ESP-3DES-SHA

       

       

      reverse-route

       

       

      !

       

       

       

       

       

      crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1

       

       

      crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1

       

       

      crypto map SDM_CMAP_1 client configuration address respond

       

       

      crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1

       

       

      !

       

       

       

       

       

      !

       

       

      interface FastEthernet0

       

       

      no ip redirects

       

       

      no ip unreachables

       

       

      speed auto

       

       

       

       

       

      interface FastEthernet0.9

       

       

      description $FW_INSIDE$

       

       

      encapsulation dot1Q 9

       

       

      ip address 10.20.10.2 255.255.255.0

       

       

      ip access-group 100 in

       

       

      ip nat inside

       

       

      !

       

       

      interface FastEthernet0.200

       

       

      description $FW_OUTSIDE$

       

       

      encapsulation dot1Q 200

       

       

      ip address 67.133.238.194 255.255.255.252

       

       

      ip access-group 101 in

       

       

      ip verify unicast reverse-path

       

       

      ip nat outside

       

       

      ip inspect SDM_LOW out

       

       

      crypto map SDM_CMAP_1

       

       

       

       

       

      interface Serial0

       

       

      no ip address

       

       

      shutdown

       

       

      !

       

       

      ip local pool SDM_POOL_1 10.20.10.175 10.20.10.250

       

       

      ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0.200 overload

       

       

      ip classless

       

       

      ip route 0.0.0.0 0.0.0.0 FastEthernet0.200

       

       

      ip route 10.20.10.0 255.255.255.0 FastEthernet0.9

       

       

      ip route 172.16.1.0 255.255.255.0 10.20.10.1

       

       

      ip route 67.133.238.192 255.255.255.252 FastEthernet0.200

       

       

      no ip http server

       

       

      ip http secure-server

       

       

       

       

       

      !

       

       

      access-list 1 remark SDM_ACL Category=2

       

       

      access-list 1 permit 10.20.10.0 0.0.0.255

       

       

      access-list 100 remark auto generated by SDM firewall configuration

       

       

      access-list 100 remark SDM_ACL Category=1

       

       

      access-list 100 permit udp host 10.20.10.20 eq 1645 host 10.20.10.2

       

       

      access-list 100 permit udp host 10.20.10.20 eq 1646 host 10.20.10.2

       

       

      access-list 100 deny ip 67.133.238.192 0.0.0.3 any

       

       

      access-list 100 deny ip host 255.255.255.255 any

       

       

      access-list 100 deny ip 127.0.0.0 0.255.255.255 any

       

       

      access-list 100 permit ip any any

       

       

      access-list 101 remark auto generated by SDM firewall configuration

       

       

      access-list 101 remark SDM_ACL Category=1

       

       

      access-list 101 permit ip host 10.20.10.175 10.20.10.0 0.0.0.255

       

       

      goes to

       

       

      access-list 101 permit ip host 10.20.10.250 10.20.10.0 0.0.0.255

       

       

      access-list 101 permit ip host 10.20.10.175 any

       

       

      goes to

       

       

      access-list 101 permit ip host 10.20.10.250 any

       

       

      access-list 101 permit udp any host 67.133.238.194 eq non500-isakmp

       

       

      access-list 101 permit udp any host 67.133.238.194 eq isakmp

       

       

      access-list 101 permit esp any host 67.133.238.194

       

       

      access-list 101 permit ahp any host 67.133.238.194

       

       

      access-list 101 deny ip 10.20.10.0 0.0.0.255 any

       

       

      access-list 101 permit icmp any host 67.133.238.194 echo-reply

       

       

      access-list 101 permit icmp any host 67.133.238.194 time-exceeded

       

       

      access-list 101 permit icmp any host 67.133.238.194 unreachable

       

       

      access-list 101 permit tcp host 67.133.238.2 host 67.133.238.194 eq 443

       

       

      access-list 101 permit tcp host 67.133.238.2 host 67.133.238.194 eq 22

       

       

      access-list 101 permit tcp host 67.133.238.2 host 67.133.238.194 eq cmd

       

       

      access-list 101 permit eigrp any any

       

       

      access-list 101 deny ip 10.0.0.0 0.255.255.255 any

       

       

      access-list 101 deny ip 172.16.0.0 0.15.255.255 any

       

       

      access-list 101 deny ip 192.168.0.0 0.0.255.255 any

       

       

      access-list 101 deny ip 127.0.0.0 0.255.255.255 any

       

       

      access-list 101 deny ip host 255.255.255.255 any

       

       

      access-list 101 deny ip host 0.0.0.0 any

       

       

      access-list 101 deny ip any any log

       

       

      access-list 102 remark SDM_ACL Category=2

       

       

      access-list 102 deny ip 10.20.10.0 0.0.0.255 host 10.20.10.175

       

       

      goes to

       

       

      access-list 102 deny ip 10.20.10.0 0.0.0.255 host 10.20.10.250

       

       

      access-list 102 deny ip any host 10.20.10.175

       

       

      goes to

       

       

      access-list 102 deny ip any host 10.20.10.250

       

       

      access-list 102 permit ip 10.20.10.0 0.0.0.255 any

       

       

      access-list 103 remark SDM_ACL Category=4

       

       

      access-list 103 permit ip 10.20.10.0 0.0.0.255 any

       

       

       

       

       

      route-map SDM_RMAP_1 permit 1

       

       

      match ip address 102

       

       

      !

       

       

      line con 0

       

       

      line aux 0

       

       

      line vty 0 4

       

       

      exec-timeout 5 0

       

       

      transport input ssh

       

       

      line vty 5 15

       

       

      exec-timeout 5 0

       

       

      transport input ssh

       

       

       

       

       

      end

       

       

       

       

       

      I know this is a long post and I appreciate any help

       

       

       

       

       

      Thank you