Guru Help?

Hi all,

I have a Site-to-Site VPN beween a PIX and CheckPoint, all is good. I have now started to office VPN access via the PIX to remote users (via Cisco VPN CLient 3.x). What I am trying to do is get the remote users to route via the PIX to the network ranges that the local office can reach on the CP (ie route to the PIX then via the Site-to-Site and on)

I cannot seem the get the last part working I am getting Deny (no xlate) errors. Below is my config if needed.

PIX Version 6.3(3) interface ethernet0 auto interface ethernet1 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KYOU encrypted hostname pix domain-name liquent.com fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names name 10.0.0.0 TAN-Access access-list inside_outbound_nat0_acl permit ip 10.228.200.0

255.255.255.0 TAN-Access 255.0.0.0 access-list inside_outbound_nat0_acl permit ip TAN-Access 255.255.255.192 10.228.201.0 255.255.255.0 access-list outside_cryptomap_20 permit ip 10.228.200.0 255.255.255.0 TAN-Access 255.0.0.0 access-list outside_cryptomap_dyn_20 permit ip any 10.228.201.0 255.255.255.0 access-list outside_inbound_nat0_acl permit ip TAN-Access 255.0.0.0 10.228.200.0 255.255.255.0 access-list liquentremotevpn_splitTunnelAcl permit ip TAN-Access 255.0.0.0 any pager lines 24 logging on logging console debugging logging monitor debugging mtu outside 1500 mtu inside 1500 ip address outside x.x.x.x 255.255.255.192 ip address inside 10.228.200.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm ip local pool vpnippool1 10.228.201.1-10.228.201.128 arp timeout 14400 global (outside) 10 interface nat (outside) 0 access-list outside_inbound_nat0_acl outside nat (inside) 0 access-list inside_outbound_nat0_acl nat (inside) 10 0.0.0.0 0.0.0.0 0 0 route outside 0.0.0.0 0.0.0.0 217.150.110.193 1 route inside TAN-Access 255.255.255.0 10.228.200.254 0 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server LOCAL protocol local aaa authentication ssh console LOCAL no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20 crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5 crypto map outside_map 20 ipsec-isakmp crypto map outside_map 20 match address outside_cryptomap_20 crypto map outside_map 20 set pfs group2 crypto map outside_map 20 set peer x.x.x.x crypto map outside_map 20 set transform-set ESP-3DES-MD5 crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map crypto map outside_map interface outside isakmp enable outside isakmp key ******** address x.x.x.x netmask 255.255.255.255 no-xauth no-config-mode isakmp policy 20 authentication pre-share isakmp policy 20 encryption 3des isakmp policy 20 hash md5 isakmp policy 20 group 2 isakmp policy 20 lifetime 86400 vpngroup liquentremotevpn address-pool vpnippool1 vpngroup liquentremotevpn dns-server x.x.x.x vpngroup liquentremotevpn default-domain x.com vpngroup liquentremotevpn split-tunnel liquentremotevpn_splitTunnelAcl vpngroup liquentremotevpn split-dns x.com vpngroup liquentremotevpn pfs vpngroup liquentremotevpn idle-time 1800 vpngroup liquentremotevpn password ******** telnet 10.228.5.201 255.255.255.255 outside telnet 10.228.200.0 255.255.255.0 inside telnet timeout 5 ssh 10.228.5.201 255.255.255.255 outside ssh 10.228.5.0 255.255.255.0 outside ssh 0.0.0.0 0.0.0.0 outside ssh 10.228.5.0 255.255.255.0 inside ssh 0.0.0.0 0.0.0.0 inside ssh timeout 5 management-access inside console timeout 0 terminal width 80

Thanks Jason

Reply to
jason.nichols
Loading thread data ...

In article , wrote: :I have a Site-to-Site VPN beween a PIX and CheckPoint, all is good. :I have now started to office VPN access via the PIX to remote users :(via Cisco VPN CLient 3.x). :What I am trying to do is get the remote users to route via the PIX to :the network ranges that the local office can reach on the CP :(ie route to the PIX then via the Site-to-Site and on)

:PIX Version 6.3(3)

You can't do that will that software release.

:interface ethernet0 auto :interface ethernet1 100full

That's a PIX 501, right?

If you had a PIX 515/515E, 525, or 535, then you could do what you want to do with the PIX 7.0(1) software release. However, no formal announcement has been made as to when (if ever) PIX 7.x will be made available on the PIX 501 or 506/506E. [The 520 will not be supported at all.]

With a PIX 501 you need routing assistance from a second device [which could be a second PIX 501.]

Reply to
Walter Roberson

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.