Announcement

Collapse
No announcement yet.

NAT/Routing problem Cisco PIX 506E

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • NAT/Routing problem Cisco PIX 506E

    Hi!

    I have a Cisco PIX 506E. It connects via a VPN tunnel to a remote site. It's also used for VPN access from roaming clients.

    I wanted to change the setup, so that VPN client users could reach my remote site through the tunnel. I ended up changing the setup, so that users from the remote site cannot print on local printers from servers on primary site.

    I have the following networks:

    Primary site 10.0.0.0/24 with Cisco PIX506E (10.0.0.254)
    Remote site 10.2.0.0/24 with Watchguard (10.2.0.1)
    VPN clients 10.1.0.0/24 connecting from Internet.

    I want VPN clients to be able to connect to servers/workstations on remote site (10.2.0.0/24), it's has never been working.
    I want remote site to be able to connect to server/workstations on primary site (has always been working), and print from server on primary site to printer on remote site (has been working until i changed something)

    In other words: 10.1.0.0/24 <-> 10.0.0.0/24 <-> 10.2.0.0/24

    Below is PIX configuration:

    PIX Version 6.3(5)
    interface ethernet0 100full
    interface ethernet1 auto
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password <!removed!> encrypted
    passwd <!removed!> encrypted
    hostname PIX
    domain-name domain.local
    clock timezone CEST 1
    clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol ils 389
    fixup protocol pptp 1723
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    no fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    no names
    name 10.0.0.113 Niels
    name 10.0.0.11 Exchangeserver
    name 10.0.0.16 Printserver
    name 10.0.0.14 Filserver
    name a.a.a.a Hosting01
    name b.b.b.b Hosting02
    name 10.0.0.27 sql.domain.local
    name c.c.c.c Christian
    name d.d.d.d Webshop
    name e.e.e.e Jens
    object-group service Videokonference-TCP tcp
    description Aabent for videokonference til Video-PC (10.0.0.49)
    port-object eq 1503
    port-object eq h323
    port-object eq ldap
    port-object range 3230 3237
    object-group service Videokonference-UDP udp
    description Aabent for videokonference til Video-PC (10.0.0.49)
    port-object eq 5060
    port-object range 3230 3237
    object-group service Remotesupport tcp
    description UltraVNC
    port-object range 5500 5500
    object-group network Jens
    network-object e.e.e.e 255.255.255.255
    object-group service E-mail tcp
    port-object eq pop3
    port-object eq smtp
    object-group network Hosting
    network-object a.a.a.a 255.255.255.0
    network-object b.b.b.b 255.255.255.0
    object-group network SMTP
    description Adgang til port 25/TCP på Exchange Serveren eksternt fra
    network-object a.a.a.a 255.255.255.0
    network-object b.b.b.b 255.255.255.0
    network-object e.e.e.e 255.255.255.255
    object-group service SQL tcp
    port-object range 1433 1433
    object-group network Webshop_SQL
    network-object c.c.c.c 255.255.255.255
    network-object d.d.d.d 255.255.255.255
    object-group service FTP tcp
    port-object eq ftp-data
    port-object eq ftp
    access-list 121 permit icmp any any echo
    access-list 121 permit icmp any any echo-reply
    access-list 121 permit icmp any any time-exceeded
    access-list 121 permit icmp any any traceroute
    access-list 121 permit icmp any any unreachable
    access-list 121 permit tcp any host x.x.x.145 eq smtp
    access-list 121 permit tcp any host x.x.x.146 eq https
    access-list 121 permit tcp any host x.x.x.145 eq https
    access-list 121 permit tcp any host x.x.x.149 eq 3389
    access-list 121 permit tcp any host x.x.x.149 object-group E-mail
    access-list 121 permit tcp object-group Webshop_SQL host x.x.x.147 object-group SQL
    access-list 121 remark Remote support via UltraVNC
    access-list 121 permit tcp any host x.x.x.146 object-group Remotesupport
    access-list 121 permit tcp any host x.x.x.148 object-group FTP
    access-list 125 permit ip 10.0.0.0 255.255.255.0 10.1.0.0 255.255.255.0
    access-list 125 permit ip 10.0.0.0 255.255.255.0 10.2.0.0 255.255.255.0
    access-list 125 permit ip 10.1.0.0 255.255.255.0 10.2.0.0 255.255.255.0
    access-list 126 permit ip host x.x.x.52 any
    access-list 126 permit ip 10.0.0.0 255.255.255.0 any
    access-list 126 permit ip 10.2.0.0 255.255.255.0 any
    access-list 126 permit ip 10.1.0.0 255.255.255.0 any
    access-list dannet_acl permit ip host x.x.x.146 host y.y.1.16
    access-list dannet_acl permit ip host x.x.x.146 host y.y.1.94
    access-list hongkong_acl permit ip 10.0.0.0 255.255.255.0 10.2.0.0 255.255.255.0
    access-list inside permit gre any any
    access-list inside permit tcp any any eq pptp
    pager lines 24
    logging console debugging
    logging monitor debugging
    logging buffered debugging
    logging history debugging
    mtu outside 1500
    mtu inside 1500
    ip address outside x.x.x.52 255.255.255.252
    ip address inside 10.0.0.254 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool ciscovpn2 10.1.0.1-10.1.0.254
    pdm location 10.0.0.11 255.255.255.255 inside
    pdm location 10.0.0.14 255.255.255.255 inside
    pdm location 10.0.0.16 255.255.255.255 inside
    pdm location 10.0.0.253 255.255.255.255 inside
    pdm location 10.0.0.0 255.255.255.0 outside
    pdm location 10.2.0.0 255.255.255.0 outside
    pdm location 10.0.0.77 255.255.255.255 inside
    pdm location 10.0.0.252 255.255.255.255 inside
    pdm location 10.0.0.19 255.255.255.255 inside
    pdm location 10.0.0.27 255.255.255.255 inside
    pdm location 10.1.0.0 255.255.255.0 inside
    pdm location 10.2.0.0 255.255.255.0 inside
    pdm group Jens outside
    pdm group SMTP outside
    pdm group Webshop_SQL outside
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    nat (inside) 0 access-list 125
    static (inside,outside) x.x.x.145 10.0.0.11 netmask 255.255.255.255 0 0
    static (inside,outside) x.x.x.146 10.0.0.16 netmask 255.255.255.255 0 0
    static (inside,outside) x.x.x.149 10.0.0.252 netmask 255.255.255.255 0 0
    static (inside,outside) x.x.x.147 10.0.0.27 netmask 255.255.255.255 0 0
    static (inside,outside) x.x.x.148 10.0.0.14 netmask 255.255.255.255 0 0
    access-group 121 in interface outside
    route outside 0.0.0.0 0.0.0.0 x.x.x.51 1
    route inside 10.1.0.0 255.255.255.0 10.0.0.254 1
    route inside 10.2.0.0 255.255.255.0 10.2.0.1 1
    timeout xlate 3:00:00
    timeout conn 8:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout sip-disconnect 0:02:00 sip-invite 0:03:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    aaa-server vpnauth protocol radius
    aaa-server vpnauth max-failed-attempts 3
    aaa-server vpnauth deadtime 10
    aaa-server vpnauth (inside) host 10.0.0.14 k1 timeout 10
    http server enable
    http 10.0.0.0 255.255.255.0 outside
    http 10.0.0.0 255.255.255.0 inside
    snmp-server host inside 10.0.0.19
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    crypto ipsec transform-set myset esp-des esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec transform-set HK esp-3des esp-md5-hmac
    crypto dynamic-map dynmap 30 set transform-set ESP-3DES-MD5
    crypto map VPN-MAP 10 ipsec-isakmp
    crypto map VPN-MAP 10 match address dannet_acl
    crypto map VPN-MAP 10 set peer y.y.50.99
    crypto map VPN-MAP 10 set transform-set ESP-3DES-SHA ESP-3DES-MD5
    crypto map VPN-MAP 20 ipsec-isakmp
    crypto map VPN-MAP 20 match address hongkong_acl
    crypto map VPN-MAP 20 set peer f.f.f.f
    crypto map VPN-MAP 20 set transform-set HK
    crypto map VPN-MAP 20 set security-association lifetime seconds 86400 kilobytes 8192
    crypto map VPN-MAP 30 ipsec-isakmp dynamic dynmap
    crypto map VPN-MAP client authentication vpnauth
    crypto map VPN-MAP interface outside
    isakmp enable outside
    isakmp key ******** address y.y.50.99 netmask 255.255.255.255
    isakmp key ******** address f.f.f.f netmask 255.255.255.255 no-xauth no-config-mode
    isakmp identity address
    isakmp nat-traversal 20
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption des
    isakmp policy 10 hash md5
    isakmp policy 10 group 2
    isakmp policy 10 lifetime 86400
    isakmp policy 20 authentication pre-share
    isakmp policy 20 encryption des
    isakmp policy 20 hash sha
    isakmp policy 20 group 1
    isakmp policy 20 lifetime 86400
    vpngroup vpn address-pool ciscovpn2
    vpngroup vpn dns-server 10.0.0.11 10.0.0.14
    vpngroup vpn default-domain domain.local
    vpngroup vpn split-tunnel 126
    vpngroup vpn idle-time 28800
    vpngroup vpn password ********
    telnet 10.0.0.0 255.255.255.0 inside
    telnet timeout 5
    ssh 10.0.0.253 255.255.255.255 inside
    ssh timeout 60
    console timeout 0
    dhcpd dns 8.8.8.8 208.67.222.222
    dhcpd lease 3600
    dhcpd ping_timeout 750
    username cisco password <!removed!> encrypted privilege 15
    terminal width 80
    Cryptochecksum:4ddbb91e27164b1b<!removed!>


    I think that one of my problems has to do with this:

    nat (inside) 0 access-list 125

    I don't want to do NAT between my networks. But I'm not an expert on Cisco PIX, so I hope someone can help me....

    Thanks in advance,

    Jonsson
Working...
X