Microsoft
Software
Hardware
Network
Question : How to pass traffic to remote subnet via VPN on Cisco Pix
Hello -
I have a Cisco Pix setup that is acting as a VPN server for several Cisco software clients. The VPN works great when the users are trying to access anything on the local subnet behind the PIX (10.30.64.x) however when they try to access anything on one of our remote subnets (10.225.34.x) the VPN clients don't even try to use the VPN for this traffic. Instead the traffic is routed to the user's local gateway. My question therefore is how do I make the traffic destined for 10.225.34.x 'interesting' to the VPN tunnel. PIX config is below. Thanks for any input!
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname
domain-name test.net
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 10.30.64.80 dc1
access-list outside_access_in remark Secure Web Traffic
access-list outside_access_in permit tcp any interface outside eq https
access-list outside_access_in remark Email Traffic
access-list outside_access_in remark Web Traffic
access-list outside_access_in permit tcp any interface outside eq www
access-list outside_access_in permit tcp any interface outside eq 3389
access-list outside_access_in permit tcp any interface outside eq 5632
access-list outside_access_in permit tcp any interface outside eq pcanywhere-dat
a
access-list outside_access_in permit tcp any interface outside eq smtp
access-list outside_access_in permit tcp any interface outside eq 3391
access-list outside_access_in permit tcp any interface outside eq 3392
access-list outside_access_in permit tcp any interface outside eq 3393
access-list outside_access_in permit tcp any interface outside eq 3394
access-list nonat permit ip 10.30.64.0 255.255.255.0 10.60.176.0 255.255.255.0
access-list nonat permit ip 10.225.34.0 255.255.255.0 10.60.176.0 255.255.255.0
access-list vpn permit ip 10.30.64.0 255.255.255.0 10.60.176.0 255.255.255.0
access-list vpn permit ip 10.225.34.0 255.255.255.0 10.60.176.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 1.2.3.4 255.255.255.252
ip address inside 10.30.64.5 255.255.240.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnpool 10.60.176.20-10.60.176.30 mask 255.255.255.0
pdm location 10.30.64.0 255.255.255.0 inside
pdm location 0.0.0.0 255.255.255.255 inside
pdm location cefcudc 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface https dc1 https netmask 255.255.255.25
5 0 0
static (inside,outside) tcp interface www dc1 www netmask 255.255.255.255 0
0
static (inside,outside) tcp interface 3389 dc1 3389 netmask 255.255.255.255
0 0
static (inside,outside) tcp interface 5632 10.30.64.134 5632 netmask 255.255.255
.255 0 0
static (inside,outside) tcp interface pcanywhere-data 10.30.64.134 pcanywhere-da
ta netmask 255.255.255.255 0 0
static (inside,outside) tcp interface smtp dc1 smtp netmask 255.255.255.255
0 0
static (inside,outside) tcp interface 3392 10.43.48.143 3389 netmask 255.255.255
.255 0 0
static (inside,outside) tcp interface 3393 10.43.48.131 3389 netmask 255.255.255
.255 0 0
static (inside,outside) tcp interface 3391 10.43.48.130 3389 netmask 255.255.255
.255 0 0
static (inside,outside) tcp interface 3394 10.43.48.133 3389 netmask 255.255.255
.255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 70.88.169.14 1
route inside 10.43.48.0 255.255.240.0 10.30.64.2 1
route inside 10.50.192.0 255.255.240.0 10.30.64.1 1
route inside 10.55.192.0 255.255.240.0 10.30.64.1 1
route inside 10.225.0.0 255.255.0.0 10.30.64.1 1
route inside 167.16.0.0 255.255.0.0 10.30.64.6 1
route inside 170.186.0.0 255.255.0.0 10.30.64.6 1
route inside 199.186.0.0 255.255.0.0 10.30.64.6 1
route inside 199.186.96.0 255.255.255.0 10.30.64.6 1
route inside 199.186.97.0 255.255.255.0 10.30.64.6 1
route inside 199.186.98.0 255.255.255.0 10.30.64.6 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa-server partnerauth protocol radius
aaa-server partnerauth max-failed-attempts 3
aaa-server partnerauth deadtime 10
aaa-server partnerauth (inside) host dc1 xxxx timeout 5
http server enable
http 192.168.1.0 255.255.255.0 inside
http 10.30.64.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication partnerauth
crypto map outside_map interface outside
isakmp enable outside
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup cfcuvpn address-pool vpnpool
vpngroup cfcuvpn dns-server dc1
vpngroup cfcuvpn wins-server dc1
vpngroup cfcuvpn default-domain test.net
vpngroup cfcuvpn split-tunnel vpn
vpngroup cfcuvpn split-dns test.net
vpngroup cfcuvpn idle-time 86400
vpngroup cfcuvpn password
telnet 10.30.64.0 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
terminal width 80
Answer : How to pass traffic to remote subnet via VPN on Cisco Pix
then one way to do it is
'define this new variable
Dim rngCell as Range
For Each rngCell in rngCharAcct
rngCell = strAccount
Next
Random Solutions
user access list - who maintains them
Epson scan only runs in "install mode" on terminal server 2003
Convert web.config from .NET 3.5 to 4.0
Enhancing a hotspot button to include reply with history
problem exportting gridview to excel spreadsheet
I need to read a text file and map it to an Access Table
CentOS 5.3: install: booting off USB: misunderstanding....is there a way I can INSTALL linux from an USB drive?
JavaScript Error in IE7 menu hover background does not work
Office Communicator 2005 Web Access wont load
Clearing a submit form once submitted