1. Home
  2. Cisco Systems
  3. Pix VPN To Internal Subnet Routing

Pix VPN To Internal Subnet Routing

Hi,

I am having problems creating a vpn through a PIX 515 software version

7.0(4) to an internal subnet routed by a 1721 Router IOS version 12.4(3f).

External Client/Cisco VPN Client Software | \\ / PIX (192.168.1.1 - static route to 10.10.10.0 network through router) | \\ / Internal Network (192.168.1.0 - default gw 192.168.1.1) | \\ / Cisco 1721 Router (192.168.1.7/10.10.10.254) | \\ / Internal Subnet (10.10.10.0 - default gw 10.10.10.254)

Both internal networks can talk to one another through the router without a problem. VPN to the 192. network also works fine. The problem is that the VPN connection. The VPN connection assigns an address in the 192.168.5.0 address range to clients.

When clients attempt to connect to the 10.10.10.0 network they do not route properly and go through the VPN Client Software. Instead, they try to connect through their own lan interface. As far as I can tell, there is no way to set a static route using the VPN Client Software. Even trying to set the route through Windows doesn't work.

I have considered setting up a new VPN connection at the Pix that would assign a 10.10.10.?? address, however I don't think they will route back through the 1721 because the address will look local.

I can set up a new VPN connection on the PIX and it only needs to have access to the 10.10.10.0 network as this will be for service connections for devices only on this subnet.

I hope this makes sense. I have used the PIX for some time, however I am still far from a skilled user. The 1721 router is a new thing for me and I still have a long ways to go.

Thanks in advance.

Reply to
Todd
Loading thread data ...

Should be very do-able, no need for the extra tunnel. Post the Pix config and we'll take a look.

Reply to
Brian V

Thanks for the response Brian,

I got to thinking after the fact. Would eliminating the split tunnel solve the routing issue?

Here is the config (hopefully I didn't strip and mangle too much):

: Saved : Written by enable_15 at 23:02:02.116 CST Tue Nov 28 2006 ! PIX Version 7.0(4) ! hostname pix domain-name xxxxxxxx.local no names ! interface Ethernet0 speed 100 duplex full nameif outside security-level 0 ip address xxx.xxx.xxx.xxx 255.255.255.0 ! interface Ethernet1 speed 100 duplex full nameif inside security-level 100 ip address 192.168.1.1 255.255.255.0 ! interface Ethernet2 speed 10 duplex half nameif public security-level 50 ip address 192.168.3.1 255.255.255.0 ! boot system flash:/pix704.bin ftp mode passive access-list outside_acl extended permit icmp any any echo-reply access-list outside_acl extended permit icmp any any time-exceeded access-list outside_acl extended permit icmp any any unreachable access-list outside_acl extended permit tcp any any eq https access-list public_acl extended permit icmp any object-group og_ip_nat_public echo-reply access-list public_acl extended permit icmp any object-group og_ip_nat_public time-exceeded access-list public_acl extended permit icmp any object-group og_ip_nat_public unreachable access-list public_acl extended deny ip any object-group og_ip_nat_public access-list public_acl extended permit ip any any access-list vpnXXXXXXX_splitTunnelAcl extended permit ip 192.168.1.0

255.255.255.0 any access-list inside_outbound_nat0_acl extended permit ip any 192.168.5.0 255.255.255.128 access-list outside_cryptomap_dyn_20 extended permit ip any 192.168.5.0 255.255.255.128 access-list outside_cryptomap_dyn_40 extended permit ip any 192.168.5.0 255.255.255.128 access-list vpnXXXXXXXXX_splitTunnelAcl extended permit ip 192.168.3.0 255.255.255.0 any access-list public_outbound_nat0_acl extended permit ip any 192.168.50.0 255.255.255.128 access-list outside_cryptomap_dyn_60 extended permit ip any 192.168.50.0 255.255.255.128 access-list inside_access_in remark Block SMB over TCP to outside access-list inside_access_in extended deny tcp any any eq 445 access-list inside_access_in extended permit ip any any access-list vpn_XXX-XXXX_splitTunnelAcl extended permit ip 192.168.1.0 255.255.255.0 any pager lines 24 logging enable logging monitor alerts logging buffered alerts logging trap informational logging asdm alerts logging facility 23 logging queue 100 logging host inside 192.168.1.XXX mtu outside 1500 mtu inside 1500 mtu public 1500 ip local pool xxxxxxxxpool 192.168.5.1-192.168.5.100 ip local pool XXXXXXpool 192.168.50.1-192.168.50.100 ip verify reverse-path interface outside asdm image flash:/asdm-504.bin asdm group og_ip_nat_public_real inside asdm group og_ip_nat_public public reference og_ip_nat_public_real arp timeout 14400 nat-control global (outside) 1 XXX.XXX.XXX.XXX netmask 255.255.255.0 nat (inside) 0 access-list inside_outbound_nat0_acl nat (inside) 1 0.0.0.0 0.0.0.0 nat (public) 0 access-list public_outbound_nat0_acl nat (public) 1 0.0.0.0 0.0.0.0 static (inside,outside) tcp XXX.XXX.XXX.XXX https 192.168.1.XXX https netmask 255.255.255.255 access-group outside_acl in interface outside access-group inside_access_in in interface inside access-group public_acl in interface public route outside 0.0.0.0 0.0.0.0 XXX.XXX.XXX.XXX 1 route inside 10.10.10.0 255.255.255.0 192.168.1.7 1 route inside 192.168.2.0 255.255.255.0 192.168.1.220 1 route inside 192.168.0.0 255.255.255.0 192.168.1.126 1 timeout xlate 1:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server RADIUS host 192.168.1.XXX key XXXXXXXXXXXXXXXXXX group-policy XXX_XXX-XXXX internal group-policy XXX_XXX-XXXX attributes wins-server value 192.168.1.XXX 192.168.1.XXX dns-server value 192.168.1.XXX 192.168.1.XXX vpn-idle-timeout 30 split-tunnel-policy tunnelspecified split-tunnel-network-list value XXX_XXX-XXXX_splitTunnelAcl default-domain value XXXXX.local group-policy vpnXXXXXXX internal group-policy vpnXXXXXXX attributes wins-server value 192.168.1.XXX dns-server value 192.168.1.XXX vpn-idle-timeout 30 split-tunnel-policy tunnelspecified split-tunnel-network-list value vpnXXXXXXX_splitTunnelAcl default-domain value XXXXXXXX group-policy vpnXXXXXXXXX internal group-policy vpnXXXXXXXXX attributes wins-server value 192.168.3.XXX dns-server value 192.168.3.XXX vpn-idle-timeout 30 split-tunnel-policy tunnelspecified split-tunnel-network-list value vpnXXXXXXXXX_splitTunnelAcl default-domain value XXXXXXX http server enable http 192.168.1.0 255.255.255.0 inside fragment chain 1 outside fragment chain 1 inside fragment chain 1 public crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20 crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5 crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40 crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5 crypto dynamic-map outside_dyn_map 60 match address outside_cryptomap_dyn_60 crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-MD5 crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map crypto map outside_map interface outside isakmp enable outside isakmp policy 20 authentication pre-share isakmp policy 20 encryption 3des isakmp policy 20 hash md5 isakmp policy 20 group 2 isakmp policy 20 lifetime 86400 isakmp policy 65535 authentication pre-share isakmp policy 65535 encryption 3des isakmp policy 65535 hash sha isakmp policy 65535 group 2 isakmp policy 65535 lifetime 86400 tunnel-group DefaultRAGroup general-attributes authentication-server-group (outside) RADIUS tunnel-group vpnXXXXXXX type ipsec-ra tunnel-group vpnXXXXXXX general-attributes address-pool xxxxxxxxpool authentication-server-group (outside) RADIUS default-group-policy vpnxxxxxxx tunnel-group vpnxxxxxxx ipsec-attributes pre-shared-key XXXXXXXXXXXXXXXXXXXXXXXXXX tunnel-group vpnxxxxxxxxx type ipsec-ra tunnel-group vpnxxxxxxxxx general-attributes address-pool xxxxxxpool authentication-server-group (outside) RADIUS default-group-policy vpnxxxxxxxxx tunnel-group vpnxxxxxxxxx ipsec-attributes pre-shared-key XXXXXXXXXXXXXXXXXXXXXXXXXX tunnel-group vpn_xxx-xxxx type ipsec-ra tunnel-group vpn_xxx-xxxx general-attributes address-pool xxxxxxxxpool authentication-server-group (outside) RADIUS default-group-policy xxx_xxx-xxxx tunnel-group xxx_xxx-xxxx ipsec-attributes pre-shared-key XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX telnet 192.168.1.0 255.255.255.0 inside telnet 192.168.2.0 255.255.255.0 inside telnet 192.168.5.0 255.255.255.0 inside telnet timeout 10 ssh 192.168.1.0 255.255.255.0 inside ssh timeout 5 ssh version 2 console timeout 5 ! class-map inspection_default match default-inspection-traffic ! ! policy-map global_policy class inspection_default inspect dns maximum-length 512 inspect ftp inspect h323 h225 inspect h323 ras inspect http inspect ils inspect netbios inspect pptp inspect rsh inspect rtsp inspect skinny inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp ! service-policy global_policy global ntp server 192.168.1.xxx source inside prefer tftp-server inside 192.168.1.xxx Cryptochecksum:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx : end
Reply to
Todd

LOL, Mangled way too much, better safe than sorry tho.....No, no need to get rid of the slpit tunnel lists to make this work, but it is a security risk, I hate split tunnels, opens way too many holes in to the network. Every single VPN user put's your entire security policy at risk, they now have direct pipes in to your network, any one of those users could be compromised and there is nothing you can do about it while allowing split tunneling. Here's where to start.

1, You need to get rid of the "any" statements in your crypto maps, no nat lists and split tunnel lists. You should be using network specific entires there, ie 10.10.10.0/24 is allowed to talk to 192.168.50.0/25. 2, Does the 1721 know where the 192.168.50.0/29 subnet is? Do you have a default router or a network specific route pointing to the Pix? 3, Not related to the VPN, but you should remove the netmask 255.255.255.0 off your outsisde global, no need for a mask there and can cause some funkyness (thats a technical term).
Reply to
Brian V

Yes, I hate the split tunnels as well, however there is one consultant who needs access to his corporate servers while working on our systems. Doing what he does, he needs to get some files. I may have to work on that though.

I'm not at work now, however I will clean that up.

The public interface (192.168.3.1) and the inside interface (192.168.1.1) should not have any traffic between them (except for two printers that are shared and have specific rules that I deleted because they really were not relevant to this issue). The 192.168.50.0 subnet is the address pool for vpn into the 192.168.3.0 subnet. The

192.168.5.0 subnet is the address pool for vpn into the 192.168.1.0 subnet. The 1721 resides on the 192.168.1.0 subnet and should not be aware of 192.168.3.0 or 192.168.50.0.

The default network gateway for the 192.168.1.0 subnet is the PIX (192.168.1.1). The default network gateway for the 10.10.10.0 subnet is the 1721 (10.10.10.254). The default gateway for the 1721 is the PIX (192.168.1.1).

I too can get technical from time to time. :-) I will remove the netmask when back at work.

Thanks again!

Reply to
Todd

OK I have the problem solved. The solution was within these statements:

group-policy vpnMYNETWORK attributes split-tunnel-network-list value vpnMYNETWORK_splitTunnelAcl

access-list vpnMYNETWORK_splitTunnelAcl extended permit ip 192.168.1.0

255.255.255.0 any

access-list vpnMYNETWORK_splitTunnelAcl extended permit ip 10.10.10.0

255.255.255.0 any

Hope this helps anyone else who encounters the same problem.

Reply to
Todd

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.