Is it possible to have a pix in front of a uc520 with clients on a 192.168.172.x network and still have access to the UC520 default 192.168.10.x and 10.1.10.x networks? |
|||
 |
UC500.comCisco Communication Manager Express, UC520, SMB VOIP reference and community |
what am i missing?
Tried making those changes, but no success. Heres what i did, and my config.
1. Modified the “200” access list to add the 10.1.10.0/24 and 10.1.1.0/24 to go along with the 192.168.10.0/24 statement
2. Created a mirrored access-list called “split-tunnel” to match the three statements that are in the “200” access list
3. Modified the “vpngroup vpn3000 split-tunnel” command to use the “split-tunnel” access list instead of “200”
pixfirewall# show run
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password x.x.x.x encrypted
passwd x.x.x.x encrypted
hostname pixfirewall
domain-name x.x.x.x.local
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 200 permit ip 192.168.10.0 255.255.255.0 192.168.172.0 255.255.255.0
access-list 200 permit ip 10.1.10.0 255.255.255.0 192.168.172.0 255.255.255.0
access-list 200 permit ip 10.1.1.0 255.255.255.0 192.168.172.0 255.255.255.0
access-list 100 permit tcp any host x.x.x.x eq smtp
access-list 100 permit tcp any host x.x.x.x eq www
access-list 100 permit tcp any host x.x.x.x eq pop3
access-list 100 permit tcp any host x.x.x.x eq 32000
access-list 100 permit tcp any host x.x.x.x eq 3389
access-list 100 permit tcp any host x.x.x.x eq www
access-list 100 permit tcp any host x.x.x.xeq citrix-ica
access-list 100 permit tcp any host x.x.x.xeq 1604
access-list 100 permit tcp any host x.x.x.x eq 2513
access-list 100 permit tcp any host x.x.x.x eq 3389
access-list split-tunnel permit ip 192.168.10.0 255.255.255.0 192.168.172.0 255.255.255.0
access-list split-tunnel permit ip 10.1.10.0 255.255.255.0 192.168.172.0 255.255.255.0
access-list split-tunnel permit ip 10.1.1.0 255.255.255.0 192.168.172.0 255.255.255.0
pager lines 24
logging on
logging buffered errors
mtu outside 1500
mtu inside 1500
ip address outside x.x.x.x 255.255.255.240
ip address inside 192.168.10.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnpool 192.168.172.1-192.168.172.254
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 200
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) x.x.x.x 192.168.10.10 netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.x 192.168.10.21 netmask 255.255.255.255 0 0
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
route inside 10.1.0.0 255.255.0.0 192.168.10.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
snmp-server location
snmp-server contact support@x.x.x.x.com
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap client authentication LOCAL
crypto map mymap interface outside
isakmp enable outside
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup vpn3000 address-pool vpnpool
vpngroup vpn3000 dns-server 192.168.10.10
vpngroup vpn3000 default-domain x.x.x.x.local
vpngroup vpn3000 split-tunnel split-tunnel
vpngroup vpn3000 idle-time 1800
vpngroup vpn3000 password ********
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 60
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
console timeout 0
username x.x.x.xpassword x.x.x.xencrypted privilege 15
terminal width 80
Cryptochecksum:5746bded2b5b266c70e2b4457104e3d5
: end
What's the routing look like
What's the routing look like on the UC500? Can you ping each location from the PIX while your telneted in?
Also - take a look at your VPN software, right click on it and choose "statistics" and then choose "route details". Does it show that you are tunneling traffic for all those networks? You should see 3. This will confirm you are tunneling properly.
First write memory...
Also - restart the PIX, if you can.. it will reset the crypto maps. If you can not, you can type "clear crypto ipsec sa" and "clear crypto isakmp sa"... Also I would type "clear IP nat trans *" to reset NAT translations (only if you can not restart)
Tell us what you find with the routes and the tunneled networks and try again...
John
NIKTEK LLC
It is possible if you setup
It is possible if you setup your route statements and ACL's correctly yes. Cant give a more detailed answer without understanding your topology.
re: It is possible if you setup
im sorry, i didnt state the fact that the 192.168.172.x clients are coming through the vpn, the inside network works fine, as they are on the 192.168.10.x network.
I replaced secret info with x.x.x.x but here is the pix config:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password S6H/sXg2W5xV3jLd encrypted
passwd S6H/sXg2W5xV3jLd encrypted
hostname pixfirewall
domain-name xxxxxx.local
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 200 permit ip 192.168.10.0 255.255.255.0 192.168.172.0 255.255.255.0
access-list 100 permit tcp any host x.x.x.x eq smtp
access-list 100 permit tcp any host x.x.x.x eq www
access-list 100 permit tcp any host x.x.x.x eq pop3
access-list 100 permit tcp any host x.x.x.x eq 32000
access-list 100 permit tcp any host x.x.x.x eq 3389
access-list 100 permit tcp any host x.x.x.x eq www
access-list 100 permit tcp any host x.x.x.x eq citrix-ica
access-list 100 permit tcp any host x.x.x.x eq 1604
access-list 100 permit tcp any host x.x.x.x eq 2513
access-list 100 permit tcp any host x.x.x.x eq 3389
pager lines 24
logging on
logging buffered errors
mtu outside 1500
mtu inside 1500
ip address outside x.x.x.x 255.255.255.240
ip address inside 192.168.10.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnpool 192.168.172.1-192.168.172.254
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 200
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) x.x.x.x192.168.10.10 netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.x 192.168.10.21 netmask 255.255.255.255 0 0
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
route inside 10.1.0.0 255.255.0.0 192.168.10.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
snmp-server location x.x.x.x
snmp-server contact x.x.x.x
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap client authentication LOCAL
crypto map mymap interface outside
isakmp enable outside
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup vpn3000 address-pool vpnpool
vpngroup vpn3000 dns-server 192.168.10.10
vpngroup vpn3000 default-domain xxxxxx.local
vpngroup vpn3000 split-tunnel 200
vpngroup vpn3000 idle-time 1800
vpngroup vpn3000 password ********
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 60
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
console timeout 0
username x.x.x.x password x.x.x.xencrypted privilege 15
terminal width 80
thanks!!
Of course you can... 1) Your
Of course you can...
1) Your PIX will need proper routes to the UC500. Looks like you have it already.
route inside 10.1.0.0 255.255.0.0 192.168.10.1 1
2) Your PIX will need ACCESS-LISTS to allow your VPN IP POOL the rights to access the 10.1.X.X networks and your UC500 networks. You have some of it already - access-list 200... but you can not use access-list 200. You have to make mirror copy and name is something else... (It is a known PIX bug). Split tunnel and no NAT groups can not be the same number.
*This access-list is saying -DONT NAT THESE ADDRESSES
access-list 200 permit ip 192.168.10.0 255.255.255.0 192.168.172.0 255.255.255.0
access-list 200 permit ip 10.1.10.0 255.255.255.0 192.168.172.0 255.255.255.0
access-list 200 permit ip 10.1.1.0 255.255.255.0 192.168.172.0 255.255.255.0
** This access list is saying, allow 192.168.172.X reach these other networks (interesting traffic)
access-list SPLIT-TUNNEL permit ip 192.168.10.0 255.255.255.0 192.168.172.0 255.255.255.0
access-list SPLIT-TUNNEL permit ip 10.1.10.0 255.255.255.0 192.168.172.0 255.255.255.0
access-list SPLIT-TUNNEL permit ip 10.1.1.0 255.255.255.0 192.168.172.0 255.255.255.0
Something like that should work... Right now you are not allowing the VPN client to tunnel to the 10.X networks. Only thing you are tunneling is the 192.168.10.X network.. Also you may be hitting a bug in the access-list command. You can try it both ways.
Tell me if it works..
John
NIKTEK LLC