1. Home
  2. Cisco Systems
  3. Again: Pix VPN & Routing

Again: Pix VPN & Routing

Hello,

this is what we would like to achieve:

Road-Warrior Pix LAN

Road-Warrior uses Cisco's VPN client. All traffic from Road-Warrior should pass through the inside interface of the Pix towards the LAN, no matter whether it is directed to our LAN or towards the Internet. Traffic arriving on the inside interface directed to the "address pool" IP address of Road-Warrior should of course go back through the outside interface into the VPN tunnel.

The following is the relevant part of the config. The tunnel is established, the user authenticated, Road-Warrior gets the proper IP address from the pool but is unable to reach anything on the LAN or further on.

interface Ethernet0 nameif outside security-level 0 ip address 195.37.33.1 255.255.255.0 ! interface Ethernet1 nameif inside security-level 100 ip address 192.168.1.38 255.255.255.0 ! access-list aclinside extended permit ip any host 10.1.5.79 access-list testlist extended permit ip any any ip local pool adpool 10.1.5.79 mask 255.255.0.0 nat-control nat (inside) 0 access-list aclinside route outside 0.0.0.0 0.0.0.0 195.37.33.254 1 route inside 0.0.0.0 0.0.0.0 192.168.1.254 tunneled aaa-server RADIUS protocol radius aaa-server RADIUS host 192.129.30.6 timeout 5 key xxxxxx group-policy mpivpn internal group-policy mpivpn attributes banner value Welcome to MPIIB-VPN vpn-idle-timeout 30 default-domain value immunbio.mpg.de user-authentication enable client-access-rule none crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto dynamic-map outside_dyn_map 20 match address testlist crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5 crypto dynamic-map outside_dyn_map 20 set reverse-route crypto map outside_map 20 match address testlist crypto map outside_map 20 set transform-set ESP-3DES-MD5 ESP-DES-MD5 crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map crypto map outside_map interface outside isakmp enable outside isakmp policy 40 authentication pre-share isakmp policy 40 encryption 3des isakmp policy 40 hash md5 isakmp policy 40 group 2 isakmp policy 40 lifetime 86400 isakmp policy 65535 authentication pre-share isakmp policy 65535 encryption 3des isakmp policy 65535 hash sha isakmp policy 65535 group 2 isakmp policy 65535 lifetime 86400 tunnel-group DefaultRAGroup type ipsec-ra tunnel-group DefaultRAGroup general-attributes authentication-server-group (outside) RADIUS tunnel-group mpivpn type ipsec-ra tunnel-group mpivpn general-attributes address-pool adpool authentication-server-group (outside) RADIUS default-group-policy mpivpn tunnel-group mpivpn ipsec-attributes pre-shared-key defcon13 authorization-required tunnel-group authentication type ipsec-ra tunnel-group authentication general-attributes authentication-server-group (outside) RADIUS default-group-policy authentication ! : end

What is wrong here?

Regards, Christoph Gartmann

Reply to
Christoph Gartmann
Loading thread data ...

isakmp nat-traversal 20

regards Megane

Reply to
Megane

This helped partially. Now Road-Warrior is able to reach hosts in the LAN or those nets that have a dedicated route towards inside. But still traffic from Road-Warrior to hosts that are not part of our LAN go directly through the outside interface and not through the inside interface.

Thus is there a way for some sort of policy routing in the Pix, e.g. everything originating from address 10.1.5.79 (= addresses from the local pool) should be routed towards the inside interface?

Regards, Christoph Gartmann

Reply to
Christoph Gartmann

Hi,

Routing of traffic on the pix adheres to the routes found in the routing table. So if you'd like traffic to certain networks to go out the inside interface, add routes for these nets to the routing table. As far as I know there is no option to route based on source address on the PIX. (as to policy routing on IOS).

Erik

Reply to
Erik Tamminga

In article , Christoph Gartmann wrote: :this is what we would like to achieve:

: Road-Warrior Pix LAN

:Road-Warrior uses Cisco's VPN client. All traffic from Road-Warrior should :pass through the inside interface of the Pix towards the LAN, no matter whether :it is directed to our LAN or towards the Internet.

What is the LAN going to do with the traffic if it is addressed towards the Internet?

:interface Ethernet0 : nameif outside : security-level 0 : ip address 195.37.33.1 255.255.255.0

That must be PIX 7.0. The constraints changed noticably between 6.3 and 7.0.

Reply to
Walter Roberson

Route it to a different Pix and then to the Internet via a separate channel.

Yes, it is 7.0.2.

Regards, Christoph Gartmann

Reply to
Christoph Gartmann

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.