Skip navigation
Cisco Learning Home > Certifications > Security (CCNA Security) > Discussions

_Communities

This Question is Not Answered 1 Correct Answer available (4 pts) 2 Helpful Answers available (2 pts)
3630 Views 1 Reply Latest reply: Nov 27, 2008 9:10 PM by B Haines RSS

Currently Being Moderated

VPN Routing troubles

Nov 24, 2008 7:39 PM

KenWood_MD 1 posts since
Nov 24, 2008

 

I need some guidance please.

 

 

I have a CISCO PIX 501 set up on a subnet off my main router with a site to site VPN Tunnel to another location in the country. I also have several systems behind the PIX. I spoke with several engineers about allowing VPN clients to connect to the pix to allow them access to the systems behind the pix, access through the tunnel and do a hairpin back out the interface from where they came for internet access. I have been told by my security people that a split tunnel is not allowed. The PIX 501 does not have the capability to run the command "same-security-traffic permit intra-interface" so I needed to set up a different way to allow remote users to access my subnet behind the pix and access the tunnel on the pix to satellite location. I set up a CISCO 1721 route with the IOS "C1700 Software (C1700-K9O3SY7-M), Version 12.3(26), RELEASE SOFTWARE (fc2)". This router connected to a different subnet off my main router. The VPN is set up and the users are able to log in to the site, gain access to the systems inside and I added a route statement directing them to the PIX to traverse the tunnel. The two problems now are this:

 

  • 1. The 1721 also does not recognize the command "same-security-traffic permit intra-interface" so without the split tunnel, I have not been able to successfully route internet access out the pix.

  • 2. The VPN connection does not respond with the correct subnet mask or default gateway for the remote users. This causes only a few to not be able to get access to the pix subnet or the tunnel.

 

I also do not have the option of getting a VPN concentrator or upgrade my PIX. I am stuck with the equipment I have. Does anyone have any suggestions on how to allow the users to surf the internet through the PIX when they have com on the VPN from the 1721 and how do I get the VPN Clients to get the correct default gateway and subnet mask once they connect.

 

 

 

 

 

Abbreviated PIX config

 

 

PIX Version 6.3(5)

 

 

interface ethernet0 auto

 

 

interface ethernet1 100full

 

 

nameif ethernet0 outside security0

 

 

nameif ethernet1 inside security100

 

 

names

 

 

name 10.20.10.0 inside

 

 

name 172.16.1.220 REMOTE_SYS2

 

 

name 172.16.1.154 REMOTE_SYS1

 

 

name 172.16.1.228 REMOTE_SYS4

 

 

name 10.20.10.20 Local_Sys_DNS

 

 

name 206.135.25.100 REMOTE_Tunnel_Host

 

 

object-group network REMOTE_ACCESS

 

 

description Access through tunnel to REMOTE

 

 

network-object REMOTE_SYS1 255.255.255.255

 

 

network-object REMOTE_SYS4 255.255.255.255

 

 

network-object REMOTE_SYS2 255.255.255.255

 

 

access-list inside_access_in permit ip any any

 

 

access-list outside_access_in permit icmp any any echo-reply

 

 

access-list outside_access_in permit icmp any any echo

 

 

access-list outside_access_in permit icmp any any time-exceeded

 

 

access-list outside_access_in permit icmp any any traceroute

 

 

access-list 101 permit ip inside 255.255.255.0 object-group NGIT_ACCESS

 

 

pager lines 24

 

 

mtu outside 1500

 

 

mtu inside 1500

 

 

ip address outside 67.133.238.130 255.255.255.224

 

 

ip address inside 10.20.10.1 255.255.255.0

 

 

ip verify reverse-path interface outside

 

 

ip verify reverse-path interface inside

 

 

ip audit info action alarm

 

 

ip audit attack action alarm

 

 

pdm location inside 255.255.255.0 inside

 

 

pdm location REMOTE_SYS1 255.255.255.255 outside

 

 

pdm location REMOTE_SYS2 255.255.255.255 outside

 

 

pdm location REMOTE_SYS4 255.255.255.255 outside

 

 

pdm location REMOTE_Tunnel_Host 255.255.255.255 outside

 

 

pdm location Local_Sys_DNS 255.255.255.255 inside

 

 

pdm logging informational 100

 

 

pdm history enable

 

 

arp timeout 14400

 

 

global (outside) 1 interface

 

 

nat (inside) 0 access-list 101

 

 

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

 

 

static (inside,outside) 67.133.238.142 Local_Sys_DNS netmask 255.255.255.255 0 0

 

 

access-group outside_access_in in interface outside

 

 

access-group inside_access_in in interface inside

 

 

route outside 0.0.0.0 0.0.0.0 216.127.134.129 1

 

 

timeout xlate 0:05:00

 

 

timeout conn 0:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

 

 

timeout h323 0:05:00 mgcp 0:00:00 sip 0:30:00 sip_media 0:00:00

 

 

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

 

 

timeout uauth 0:00:00 absolute

 

 

sysopt connection permit-ipsec

 

 

crypto ipsec transform-set My_Local esp-3des esp-md5-hmac

 

 

crypto map My_Local 10 ipsec-isakmp

 

 

crypto map My_Local 10 match address 101

 

 

crypto map My_Local 10 set peer REMOTE_Tunnel_Host

 

 

crypto map My_Local 10 set transform-set My_Local

 

 

crypto map My_Local interface outside

 

 

isakmp enable outside

 

 

isakmp key ******** address REMOTE_Tunnel_Host netmask 255.255.255.255

 

 

isakmp identity address

 

 

isakmp policy 10 authentication pre-share

 

 

isakmp policy 10 encryption 3des

 

 

isakmp policy 10 hash md5

 

 

isakmp policy 10 group 2

 

 

isakmp policy 10 lifetime 86400

 

 

ssh inside 255.255.255.0 inside

 

 

ssh timeout 15

 

 

management-access inside

 

 

console timeout 0

 

 

vpdn enable outside

 

 

dhcpd address 10.20.10.120-10.20.10.149 inside

 

 

dhcpd dns Local_Sys_DNS

 

 

dhcpd lease 3600

 

 

dhcpd ping_timeout 750

 

 

dhcpd domain my.domain.org

 

 

dhcpd enable inside

 

 

terminal width 80

 

 

 

 

 

Abbreviated 1721 config

 

 

 

 

 

version 12.3

 

 

service timestamps debug datetime msec

 

 

service timestamps log datetime msec

 

 

 

 

 

mmi polling-interval 60

 

 

no mmi auto-configure

 

 

no mmi pvc

 

 

mmi snmp-timeout 180

 

 

aaa new-model

 

 

!

 

 

 

 

 

aaa authentication login sdm_vpn_xauth_ml_1 local

 

 

aaa authorization network sdm_vpn_group_ml_1 local

 

 

aaa session-id common

 

 

ip subnet-zero

 

 

!

 

 

 

 

 

no ip domain lookup

 

 

ip domain name my.domain.org

 

 

!

 

 

ip cef

 

 

ip inspect name SDM_LOW cuseeme

 

 

ip inspect name SDM_LOW ftp

 

 

ip inspect name SDM_LOW h323

 

 

ip inspect name SDM_LOW icmp

 

 

ip inspect name SDM_LOW netshow

 

 

ip inspect name SDM_LOW rcmd

 

 

ip inspect name SDM_LOW realaudio

 

 

ip inspect name SDM_LOW rtsp

 

 

ip inspect name SDM_LOW sqlnet

 

 

ip inspect name SDM_LOW streamworks

 

 

ip inspect name SDM_LOW tftp

 

 

ip inspect name SDM_LOW tcp

 

 

ip inspect name SDM_LOW udp

 

 

ip inspect name SDM_LOW vdolive

 

 

ip audit po max-events 100

 

 

 

 

 

!

 

 

{usernames and pw for local authentication for VPN}

 

 

 

 

 

!

 

 

ip ssh authentication-retries 2

 

 

 

 

 

!

 

 

crypto isakmp policy 1

 

 

encr 3des

 

 

group 2

 

 

 

 

 

crypto isakmp policy 2

 

 

encr 3des

 

 

authentication pre-share

 

 

group 2

 

 

crypto isakmp xauth timeout 15

 

 

 

 

 

!

 

 

crypto isakmp client configuration group MYVPN

 

 

key ***********

 

 

dns 10.20.10.20

 

 

domain my.domain.org

 

 

pool SDM_POOL_1

 

 

 

 

 

!

 

 

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

 

 

 

 

 

crypto dynamic-map SDM_DYNMAP_1 1

 

 

set transform-set ESP-3DES-SHA

 

 

reverse-route

 

 

!

 

 

 

 

 

crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1

 

 

crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1

 

 

crypto map SDM_CMAP_1 client configuration address respond

 

 

crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1

 

 

!

 

 

 

 

 

!

 

 

interface FastEthernet0

 

 

no ip redirects

 

 

no ip unreachables

 

 

speed auto

 

 

 

 

 

interface FastEthernet0.9

 

 

description $FW_INSIDE$

 

 

encapsulation dot1Q 9

 

 

ip address 10.20.10.2 255.255.255.0

 

 

ip access-group 100 in

 

 

ip nat inside

 

 

!

 

 

interface FastEthernet0.200

 

 

description $FW_OUTSIDE$

 

 

encapsulation dot1Q 200

 

 

ip address 67.133.238.194 255.255.255.252

 

 

ip access-group 101 in

 

 

ip verify unicast reverse-path

 

 

ip nat outside

 

 

ip inspect SDM_LOW out

 

 

crypto map SDM_CMAP_1

 

 

 

 

 

interface Serial0

 

 

no ip address

 

 

shutdown

 

 

!

 

 

ip local pool SDM_POOL_1 10.20.10.175 10.20.10.250

 

 

ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0.200 overload

 

 

ip classless

 

 

ip route 0.0.0.0 0.0.0.0 FastEthernet0.200

 

 

ip route 10.20.10.0 255.255.255.0 FastEthernet0.9

 

 

ip route 172.16.1.0 255.255.255.0 10.20.10.1

 

 

ip route 67.133.238.192 255.255.255.252 FastEthernet0.200

 

 

no ip http server

 

 

ip http secure-server

 

 

 

 

 

!

 

 

access-list 1 remark SDM_ACL Category=2

 

 

access-list 1 permit 10.20.10.0 0.0.0.255

 

 

access-list 100 remark auto generated by SDM firewall configuration

 

 

access-list 100 remark SDM_ACL Category=1

 

 

access-list 100 permit udp host 10.20.10.20 eq 1645 host 10.20.10.2

 

 

access-list 100 permit udp host 10.20.10.20 eq 1646 host 10.20.10.2

 

 

access-list 100 deny ip 67.133.238.192 0.0.0.3 any

 

 

access-list 100 deny ip host 255.255.255.255 any

 

 

access-list 100 deny ip 127.0.0.0 0.255.255.255 any

 

 

access-list 100 permit ip any any

 

 

access-list 101 remark auto generated by SDM firewall configuration

 

 

access-list 101 remark SDM_ACL Category=1

 

 

access-list 101 permit ip host 10.20.10.175 10.20.10.0 0.0.0.255

 

 

goes to

 

 

access-list 101 permit ip host 10.20.10.250 10.20.10.0 0.0.0.255

 

 

access-list 101 permit ip host 10.20.10.175 any

 

 

goes to

 

 

access-list 101 permit ip host 10.20.10.250 any

 

 

access-list 101 permit udp any host 67.133.238.194 eq non500-isakmp

 

 

access-list 101 permit udp any host 67.133.238.194 eq isakmp

 

 

access-list 101 permit esp any host 67.133.238.194

 

 

access-list 101 permit ahp any host 67.133.238.194

 

 

access-list 101 deny ip 10.20.10.0 0.0.0.255 any

 

 

access-list 101 permit icmp any host 67.133.238.194 echo-reply

 

 

access-list 101 permit icmp any host 67.133.238.194 time-exceeded

 

 

access-list 101 permit icmp any host 67.133.238.194 unreachable

 

 

access-list 101 permit tcp host 67.133.238.2 host 67.133.238.194 eq 443

 

 

access-list 101 permit tcp host 67.133.238.2 host 67.133.238.194 eq 22

 

 

access-list 101 permit tcp host 67.133.238.2 host 67.133.238.194 eq cmd

 

 

access-list 101 permit eigrp any any

 

 

access-list 101 deny ip 10.0.0.0 0.255.255.255 any

 

 

access-list 101 deny ip 172.16.0.0 0.15.255.255 any

 

 

access-list 101 deny ip 192.168.0.0 0.0.255.255 any

 

 

access-list 101 deny ip 127.0.0.0 0.255.255.255 any

 

 

access-list 101 deny ip host 255.255.255.255 any

 

 

access-list 101 deny ip host 0.0.0.0 any

 

 

access-list 101 deny ip any any log

 

 

access-list 102 remark SDM_ACL Category=2

 

 

access-list 102 deny ip 10.20.10.0 0.0.0.255 host 10.20.10.175

 

 

goes to

 

 

access-list 102 deny ip 10.20.10.0 0.0.0.255 host 10.20.10.250

 

 

access-list 102 deny ip any host 10.20.10.175

 

 

goes to

 

 

access-list 102 deny ip any host 10.20.10.250

 

 

access-list 102 permit ip 10.20.10.0 0.0.0.255 any

 

 

access-list 103 remark SDM_ACL Category=4

 

 

access-list 103 permit ip 10.20.10.0 0.0.0.255 any

 

 

 

 

 

route-map SDM_RMAP_1 permit 1

 

 

match ip address 102

 

 

!

 

 

line con 0

 

 

line aux 0

 

 

line vty 0 4

 

 

exec-timeout 5 0

 

 

transport input ssh

 

 

line vty 5 15

 

 

exec-timeout 5 0

 

 

transport input ssh

 

 

 

 

 

end

 

 

 

 

 

I know this is a long post and I appreciate any help

 

 

 

 

 

Thank you

 

 

Actions

More Like This

  • Retrieving data ...

Bookmarked By (0)