--===============0137572596==
Content-Type: multipart/alternative;
boundary="----=_Part_94536_30933297.1158726046584"

------=_Part_94536_30933297.1158726046584
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Hello All,

Following is my scenario.

3550 Switch (10.5.25.50) -> (inside 10.5.25.1) PIX1 (outside 10.5.26.254) ->
Internet ->
(outside 172.25.34.7) PIX2 (inside 10.80.2.7) -> 3550 Switch (10.80.2.5,
10.80.1.10, 10.80.0.10)

Based on the above scenario, I have established a VPN tunnel from
10.5.25.0network to
10.80.2.0 network. It works perfectly fine.

1) 3550 switch with IP address 10.5.25.50 has default gateway as 10.5.25.1(PIX1)
2) 3550 switch with IP address 10.80.2.5 has route statements to
10.5.25.0through
10.80.2.7
3) PIX1 has routes to 172.25.34.0 and 10.80.2.0 defined.
4) PIX2 has routes defined for 10.5.25.0 and 10.5.26.0
5) PIX2 has routes defined for 10.80.1.0 and 10.80.0.0 pointing to 10.80.2.5
6) All subnets are /24 subnets throughout.
7) All PIXes run ver 6.3.

Please find below the VPN configurations for PIX1 and PIX2.

The thing that really bothers me is that the existing configuration will
establish three VPN tunnels as follows.

1) 10.5.25.0 to 10.80.2.0
2) 10.5.25.0 to 10.80.1.0
3) 10.5.25.0 to 10.80.0.0

I am hoping that there is a way out of this and I would be able to route
traffic from 10.5.25.0 to 10.80.1.0 with only one VPN tunnel between
10.5.25.0 and 10.80.2.0

I have searched all over the internet for any sample configuration and I am
not able to find it. There should be an easy way to do this. Please help.

PIX1 configuration

object-group network Remote-Networks
network-object 10.80.2.0 255.255.255.0
network-object 10.80.1.0 255.255.255.0
network-object 10.80.0.0 255.255.255.0

object-group network NoNAT-Networks
network-object 10.80.2.0 255.255.255.0
network-object 10.80.1.0 255.255.255.0
network-object 10.80.0.0 255.255.255.0

access-list inside_outbound_nat0_acl permit ip 10.5.25.0
255.255.255.0object-group NoNAT-Networks
access-list Remote_cryptomap_20 permit ip 10.5.25.0
255.255.255.0object-group Remote-Networks

nat (inside) 0 access-list inside_outbound_nat0_acl

sysopt connection permit-ipsec
isakmp enable outside
isakmp key REMOTENET address 172.25.34.7 netmask 255.255.255.255
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map DCA 20 ipsec-isakmp
crypto map DCA 20 match address Remote_cryptomap_20
crypto map DCA 20 set peer 172.25.34.7
crypto map DCA 20 set transform-set ESP-3DES-MD5
crypto map DCA interface outside

route outside 0.0.0.0 0.0.0.0 10.5.26.1

PIX2 configuration

object-group network Local-Networks
network-object 10.80.2.0 255.255.255.0
network-object 10.80.1.0 255.255.255.0
network-object 10.80.0.0 255.255.255.0

access-list inside_outbound_nat0_acl permit ip object-group Local-Networks
10.5.25.0 255.255.255.0
access-list Corp_cryptomap_20 permit ip object-group Local-Networks
10.5.25.0 255.255.255.0

nat (inside) 0 access-list inside_outbound_nat0_acl

sysopt connection permit-ipsec
isakmp enable outside
isakmp key REMOTENET address 10.5.26.254 netmask 255.255.255.255
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map Management 20 ipsec-isakmp
crypto map Management 20 match address Corp_cryptomap_20
crypto map Management 20 set peer 10.5.26.254
crypto map Management 20 set transform-set ESP-3DES-MD5

route outside 10.5.25.0 255.255.255.0 172.25.34.1
route outside 10.5.26.0 255.255.255.0 172.25.34.1

With regards,
Anand

------=_Part_94536_30933297.1158726046584
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Hello All,

Following is my scenario.

3550 Switch (10.5.25.50) -> (inside 10.5.25.1) PIX1 (outside 10.5.26.254
) -> Internet ->
 (outside 172.25.34.7) PIX2 (inside 10.80.2.7) -> 3550 Switch (10.80.2.5,
10.80.1.10
, 10.80.0.10)

Based on the above scenario, I have established a VPN tunnel from 10.5.25.0 network to 10.80.2.0
network. It works perfectly fine.

1) 3550 switch with IP address 10.5.25.50 has default gateway as 10.5.25.1 (PIX1)
2) 3550 switch with IP address
10.80.2.5 has route statements to 10.5.25.0 through 10.80.2.7
3) PIX1 has routes to 172.25.34.0
and 10.80.2.0 defined.
4) PIX2 has routes defined for 10.5.25.0 and 10.5.26.0
5) PIX2 has routes defined for
10.80.1.0
and 10.80.0.0 pointing to 10.80.2.5
6) All subnets are /24 subnets throughout.
7) All PIXes run ver 6.3.

Please find below the VPN configurations for PIX1 and PIX2.


The thing that really bothers me is that the existing configuration will establish three VPN tunnels as follows.

1) 10.5.25.0 to 10.80.2.0
2)
10.5.25.0 to 10.80.1.0
3) 10.5.25.0 to 10.80.0.0

I am hoping that there is a way out of this and I would be able to route traffic from
10.5.25.0 to 10.80.1.0 with only one VPN tunnel between 10.5.25.0 and 10.80.2.0

I have searched all over the internet for any sample configuration and I am not able to find it. There should be an easy way to do this. Please help.


PIX1 configuration

object-group network Remote-Networks
  network-object 10.80.2.0 255.255.255.0
  network-object
10.80.1.0
255.255.255.0
  network-object 10.80.0.0 255.255.255.0

object-group network NoNAT-Networks
  network-object
10.80.2.0 255.255.255.0
  network-object 10.80.1.0 255.255.255.0
  network-object
10.80.0.0
255.255.255.0

access-list inside_outbound_nat0_acl permit ip 10.5.25.0 255.255.255.0 object-group NoNAT-Networks

access-list Remote_cryptomap_20 permit ip 10.5.25.0 255.255.255.0 object-group Remote-Networks

nat (inside) 0 access-list inside_outbound_nat0_acl


sysopt connection permit-ipsec
isakmp enable outside
isakmp key REMOTENET address 172.25.34.7 netmask 255.255.255.255
isakmp identity address

isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto map DCA 20 ipsec-isakmp
crypto map DCA 20 match address Remote_cryptomap_20
crypto map DCA 20 set peer 172.25.34.7
crypto map DCA 20 set transform-set ESP-3DES-MD5
crypto map DCA interface outside


route outside 0.0.0.0 0.0.0.0 10.5.26.1

PIX2 configuration

object-group network Local-Networks
  network-object
10.80.2.0 255.255.255.0
  network-object 10.80.1.0 255.255.255.0
  network-object
10.80.0.0 255.255.255.0

access-list inside_outbound_nat0_acl permit ip object-group Local-Networks 10.5.25.0
255.255.255.0

access-list Corp_cryptomap_20 permit ip object-group Local-Networks 10.5.25.0 255.255.255.0

nat (inside) 0 access-list inside_outbound_nat0_acl


sysopt connection permit-ipsec
isakmp enable outside
isakmp key REMOTENET address 10.5.26.254 netmask 255.255.255.255
isakmp identity address

isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto map Management 20 ipsec-isakmp
crypto map Management 20 match address Corp_cryptomap_20
crypto map Management 20 set peer 10.5.26.254
crypto map Management 20 set transform-set ESP-3DES-MD5


route outside 10.5.25.0 255.255.255.0 172.25.34.1
route outside 10.5.26.0
255.255.255.0
172.25.34.1

With regards,
Anand

------=_Part_94536_30933297.1158726046584--

--===============0137572596==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailma...rewall-wizards

--===============0137572596==--