No announcement yet.

PIX515e - Client using PIX Connected VPN

  • Filter
  • Time
  • Show
Clear All
new posts

  • PIX515e - Client using PIX Connected VPN


    I am putting a proposal togeather to switch our firewalls to PIX's. I have used PIX in the past and have set on up on test currently and all is good. This is just for our offices (we have 4 in various locations). Now this is where the problem starts...

    I have a connection using the VPN client and this works great to the internal network, but I have some IP-SEC VPN's setup from the same PIX as the Client connects to (and it would have to connect via IP-SEC VPNS to the other offices), if it possible to get the user over the client to connect to a machine over the IP-SEC VPN???

    Not sure I have explained this to well

    So basically, can a VPN client who is connected to the PIX use a IP-SEC VPN that is connected to the same PIX??



  • #2
    Re: PIX515e - Client using PIX Connected VPN

    I'm not sure I fully understand but I will give the answer I think you are looking for...

    You are trying to find out if a client who is connected to a PIX via VPN can use the IPSEC VPN to access computers/services in another office.

    e.g. - The user (VPN Client) connects to the PIX (in say, New York) and uses the IPSEC - VPN to access Servers in another office (let's say, Houston)?

    If that is what your asking, then I believe the correct answer is yes. You should be able to accomplish this through the use of basic ACLs and NoNats.

    You could always just have them connect directly to the PIX in Houston as well.


    • #3
      Re: PIX515e - Client using PIX Connected VPN

      OK thanks for the reply, be good if I can do it, but all my current attempts have failed.

      Yes, thats about it. I have a single PIX, and this has a IP-SEC VPN to a customer (so we cant connect the client to it).
      If I connect from home using the Cisco client I cant work out how to get this to work so that I can also use the IP-SEC tunnel. My syslog shows a xlate error, so I think I am having a NAT issue

      (to add complication the client uses a no-nat rule, but the customer IP-SEC VPN does use nat)

      Here is the intersting bits on the config, any pointers would be sweet...

      If I cant get this to work I guess my next option is a concentrator...

      access-list vpn-nonat-acl permit ip object-group office-lan object-group vpn-pool-group
      access-list vpn-nonat-acl permit ip object-group vpn-pool-group object-group office-lan
      access-list inside_in permit tcp object-group office-lan any object-group lan-outbound-ports
      access-list inside_in deny ip any any log
      access-list IPSEC-VPN permit ip host ***.***.63.124 host ***.***.246.64 log
      access-list client_comms permit ip object-group office-lan host ***.***.246.64 log
      access-list client_comms permit ip host ***.***.246.64 object-group office-lan log
      access-list outside_in permit tcp host any
      access-list outside_in deny ip any any log
      mtu outside 1500
      mtu inside 1500
      mtu dmz 1500
      ip address outside ***.***.63.125
      ip address inside
      ip local pool vpnpool
      global (outside) 1 ***.***.63.124
      nat (inside) 0 access-list vpn-nonat-acl
      nat (inside) 1 0 0
      access-group outside_in in interface outside
      access-group inside_in in interface inside
      sysopt connection permit-ipsec
      crypto ipsec transform-set esp-3des-sha esp-3des esp-sha-hmac
      crypto ipsec transform-set esp-3des-md5 esp-3des esp-md5-hmac
      crypto ipsec transform-set myset esp-aes-256 esp-md5-hmac
      crypto dynamic-map dynmap 10 set transform-set myset
      crypto map mymap 10 ipsec-isakmp dynamic dynmap
      crypto map mymap 15 ipsec-isakmp
      crypto map mymap 15 match address IPSEC-VPN
      crypto map mymap 15 set peer ***.***.163.15
      crypto map mymap 15 set transform-set esp-3des-md5
      crypto map mymap interface outside
      isakmp enable outside
      isakmp key ******** address ***.***.163.15 netmask
      isakmp policy 10 authentication pre-share
      isakmp policy 10 encryption 3des
      isakmp policy 10 hash md5
      isakmp policy 10 group 2
      isakmp policy 10 lifetime 86400
      isakmp policy 20 authentication pre-share
      isakmp policy 20 encryption aes-256
      isakmp policy 20 hash md5
      isakmp policy 20 group 2
      isakmp policy 20 lifetime 86400
      vpngroup simon address-pool vpnpool
      vpngroup simon dns-server
      vpngroup simon default-domain
      vpngroup simon split-tunnel vpn-nonat-acl
      vpngroup simon split-dns
      vpngroup simon idle-time 7200
      vpngroup simon max-time 86400
      vpngroup simon password ********


      • #4
        Re: PIX515e - Client using PIX Connected VPN

        BTW, this is the error in the log when I try to open a RDP connection from my home (over the Cisco client) to the IP-SEC VPN destination.

        01-25-2007 11:01:54 Local4.Error %PIX-3-106011: Deny inbound (No xlate) tcp src outside: dst outside:***.***.246.64/3389
 is the PIX inside interface is the Pool IP of my home connection over the client
        ***.***.246.64 is the IP of the IP-SEC destination