1. Home
  2. Virtual Private Networks
  3. Routing between VPN's on a Cisco Pix506E?

Routing between VPN's on a Cisco Pix506E?

Hwody, I've got a T1 to my office with a Pix506E running firewall duties. Our VPN network topology is hub and spoke with the Office being the hub and 11 spokes with IPSEC VPN's to some linksys BEFVP41 routers. We also have 8 users randomly using the Cisco Software VPN client as well. I need to be able to route traffic between all spokes as well as the software client. As it sits now, Traffic from the spokes and the Cisco client stop at the office. Is this possible with a Pix?

Current config...

PIX Version 6.2(3) nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password ********* encrypted passwd ********* encrypted hostname ****** domain-name ****** clock timezone CST -6 clock summer-time CDT recurring fixup protocol ftp 21 fixup protocol http 80 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol ils 389 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol sip 5060 fixup protocol skinny 2000 fixup protocol sip udp 5060 names object-group network StoreVPN network-object 192.168.50.0 255.255.255.0 network-object 192.168.52.0 255.255.255.0 network-object 192.168.53.0 255.255.255.0 network-object 192.168.55.0 255.255.255.0 network-object 192.168.56.0 255.255.255.0 network-object 192.168.58.0 255.255.255.0 network-object 192.168.60.0 255.255.255.0 network-object 192.168.61.0 255.255.255.0 network-object 192.168.62.0 255.255.255.0 network-object 192.168.71.0 255.255.255.0 network-object 192.168.72.0 255.255.255.0 object-group service sip tcp-udp description sip port-object range 5060 5060 port-object range 5004 5004 object-group network CiscoClient network-object 10.1.1.0 255.255.255.0 access-list outside_in permit icmp any any echo-reply access-list outside_in permit icmp any any echo access-list outside_in permit icmp any any unreachable access-list outside_in permit icmp any any time-exceeded access-list outside_in permit icmp any any source-quench access-list outside_in permit tcp any host **External IP** eq www access-list outside_in permit tcp any host **External IP** eq pop3 access-list outside_in permit tcp any host **External IP** eq 5900 access-list outside_in permit tcp any host **External IP** eq smtp access-list outside_in permit tcp any host **External IP** eq 17888 access-list outside_in permit tcp any host **External IP** eq 9008 access-list outside_in permit tcp any host **External IP** eq ftp access-list outside_in permit tcp any host **External IP** eq pcanywhere-data access-list outside_in permit tcp any host **External IP** eq 5632 access-list outside_in permit tcp any host **External IP** eq 11999 access-list outside_in permit tcp any host **External IP** eq 11998 access-list split-tunnel permit ip 10.0.0.0 255.255.255.0 10.1.1.0

255.255.255.0

access-list inside_outbound_nat0_acl permit ip any 10.1.1.0

255.255.255.0 access-list inside_outbound_nat0_acl permit ip 10.0.0.0 255.255.255.0 192.168.55 .0 255.255.255.0 access-list inside_outbound_nat0_acl permit ip 10.0.0.0 255.255.255.0 192.168.50 .0 255.255.255.0 access-list inside_outbound_nat0_acl permit ip 10.0.0.0 255.255.255.0 192.168.52 .0 255.255.255.0 access-list inside_outbound_nat0_acl permit ip 10.0.0.0 255.255.255.0 192.168.53 .0 255.255.255.0 access-list inside_outbound_nat0_acl permit ip 10.0.0.0 255.255.255.0 192.168.56 .0 255.255.255.0 access-list inside_outbound_nat0_acl permit ip 10.0.0.0 255.255.255.0 192.168.58 .0 255.255.255.0 access-list inside_outbound_nat0_acl permit ip 10.0.0.0 255.255.255.0 192.168.60 .0 255.255.255.0 access-list inside_outbound_nat0_acl permit ip 10.0.0.0 255.255.255.0 192.168.61 .0 255.255.255.0 access-list inside_outbound_nat0_acl permit ip 10.0.0.0 255.255.255.0 192.168.62 .0 255.255.255.0 access-list inside_outbound_nat0_acl permit ip 10.0.0.0 255.255.255.0 192.168.72 .0 255.255.255.0 access-list inside_outbound_nat0_acl permit ip 10.0.0.0 255.255.255.0 192.168.71 .0 255.255.255.0 access-list outside_inbound_nat0_acl permit ip object-group CiscoClient object-g roup StoreVPN access-list outside_inbound_nat0_acl permit ip object-group StoreVPN object-grou p CiscoClient access-list nate_splitTunnelAcl permit ip 10.0.0.0 255.255.255.0 any access-list Tammy_splitTunnelAcl permit ip 10.0.0.0 255.255.255.0 any access-list Brian_splitTunnelAcl permit ip 10.0.0.0 255.255.255.0 any access-list Dispatch_splitTunnelAcl permit ip 10.0.0.0 255.255.255.0 any access-list Amy_splitTunnelAcl permit ip 10.0.0.0 255.255.255.0 any access-list Karen_splitTunnelAcl permit ip 10.0.0.0 255.255.255.0 any access-list Sarah_splitTunnelAcl permit ip 10.0.0.0 255.255.255.0 any access-list 58_splitTunnelAcl permit ip 10.0.0.0 255.255.255.0 any pager lines 24 interface ethernet0 auto interface ethernet1 auto mtu outside 1500 mtu inside 1500 ip address outside **External IP** 255.255.255.252 ip address inside 10.0.0.254 255.255.255.0 ip audit info action alarm ip audit attack action alarm ip local pool vpn-pool 10.1.1.1-10.1.1.254 pdm location 10.0.0.0 255.255.255.0 outside pdm history enable arp timeout 14400 global (outside) 1 interface nat (outside) 0 access-list outside_inbound_nat0_acl outside nat (inside) 0 access-list inside_outbound_nat0_acl nat (inside) 1 0.0.0.0 0.0.0.0 0 0 static (inside,outside) tcp interface www 10.0.0.2 www netmask 255.255.255.255 0 0 static (inside,outside) tcp interface pop3 10.0.0.2 pop3 netmask 255.255.255.255 0 0 static (inside,outside) tcp interface 5900 10.0.0.2 5900 netmask 255.255.255.255 0 0 static (inside,outside) tcp interface smtp 10.0.0.2 smtp netmask 255.255.255.255 0 0 static (inside,outside) tcp interface 17888 10.0.0.9 17888 netmask 255.255.255.2 55 0 0 static (inside,outside) tcp interface 9008 10.0.0.9 6129 netmask 255.255.255.255 0 0 static (inside,outside) tcp interface ftp 10.0.0.2 ftp netmask 255.255.255.255 0 0 static (inside,outside) tcp interface 17889 10.0.0.9 17889 netmask 255.255.255.2 55 0 0 static (inside,outside) tcp interface 11999 10.0.0.103 3389 netmask 255.255.255. 255 0 0 static (inside,outside) tcp interface pcanywhere-data 10.0.0.18 pcanywhere-data netmask 255.255.255.255 0 0 static (inside,outside) tcp interface 5632 10.0.0.18 5632 netmask 255.255.255.25 5 0 0 static (inside,outside) tcp interface 11998 10.0.0.107 3389 netmask 255.255.255. 255 0 0 access-group outside_in in interface outside route outside 0.0.0.0 0.0.0.0 **T1 Router IP** 1 timeout xlate 8:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si p 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server LOCAL protocol local http server enable http 0.0.0.0 0.0.0.0 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec sysopt connection permit-pptp no sysopt route dnat crypto ipsec transform-set strong-des esp-3des esp-sha-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set test1 ah-md5-hmac esp-3des esp-md5-hmac crypto dynamic-map dynmap 4 set transform-set strong-des crypto dynamic-map inside_dyn_map 30 set pfs group2 crypto dynamic-map inside_dyn_map 30 set transform-set ESP-3DES-SHA ESP-3DES-MD5 crypto dynamic-map outside_dyn_map 10 set transform-set strong-des crypto dynamic-map outside_dyn_map 10 set security-association lifetime seconds 3600 kilobytes 4608000 crypto map partner-map 65535 ipsec-isakmp dynamic outside_dyn_map crypto map partner-map client configuration address respond crypto map test 10 ipsec-isakmp dynamic outside_dyn_map crypto map test interface outside isakmp enable outside isakmp key ******** address 0.0.0.0 netmask 0.0.0.0 isakmp identity address isakmp policy 10 authentication pre-share isakmp policy 10 encryption 3des isakmp policy 10 hash sha isakmp policy 10 group 2 isakmp policy 10 lifetime 7200 vpngroup nate address-pool vpn-pool vpngroup nate dns-server 10.0.0.9 vpngroup nate wins-server 10.0.0.1 vpngroup nate default-domain LLOC vpngroup nate split-tunnel nate_splitTunnelAcl vpngroup nate idle-time 1800 vpngroup nate password ******** vpngroup Dispatch address-pool vpn-pool vpngroup Dispatch dns-server 10.0.0.9 vpngroup Dispatch wins-server 10.0.0.1 vpngroup Dispatch default-domain LLOC vpngroup Dispatch split-tunnel Dispatch_splitTunnelAcl vpngroup Dispatch idle-time 1800 vpngroup Dispatch password ******** telnet 0.0.0.0 0.0.0.0 inside telnet timeout 10 ssh 0.0.0.0 0.0.0.0 outside ssh 0.0.0.0 0.0.0.0 inside ssh timeout 5 vpdn enable outside terminal width 80 Cryptochecksum:***** : end
Reply to
Nate731
Loading thread data ...

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.