« Return to Thread: Cisco PIX VPN question...
RE: Cisco PIX VPN question...
by ddenton
::
Rate this Message:
I wanted to let the list know that I figured out why I couldn't hit net2 and
net3 earlier. I was missing a few NAT exemption rules, and now that seems to
work fine. My next and last issue seems to be getting to net1, 2, or 3 while
connected by remote access vpn client to pix1 from the outside. When viewing
the PDM, it appears that the pool of addresses assigned to VPN clients is
associated with the outside interface. When I attempt to add an IPSEC rule
to allow traffic from the VPN pool to traverse the VPN, I get a message
saying communication isn't allowed between interfaces with the same security
level. I think in 7.0 this is remedied with the "same-security-traffic"
command, but 6.3 doesn't seem to have this. Is this a valid workaround, and
is there a similar version of this command for pix 6.3?
-----Original Message-----
From: Dan Denton [mailto:ddenton@...]
Sent: Tuesday, May 29, 2007 10:03 AM
To: 'Mohamed Farid'; 'firewalls@...'
Subject: RE: Cisco PIX VPN question...
Thanks to all who have responded. I've made some progress but hit another
bump in the road. Here's my network layout..
[net2]
[office net]--[pix1]------<VPN>------[pix2]---[net1]---[pix3]/
\
[net3]
I can get to any host on net1 without any trouble, but I cannot get to net2
or net3. Connection attempts don't seem to go anywhere, and nothing (for the
connections in question) shows up in the logs from any of the pix's. The
only thing out of the ordinary I've noticed in that in the PDM for pix1
under the IPSEC rules detailing each of the target networks to be protected,
the IPSEC rules for net2 and net3 have (Null Rule) next to them.
Can anyone tell me why this might be the case? Also, I can connect to pix2
with a vpn client and hit net2 and net3, so I atleast know connectivity
isn't an issue. Thanks again...
-----Original Message-----
From: listbounce@... [mailto:listbounce@...] On
Behalf Of Mohamed Farid
Sent: Sunday, May 27, 2007 1:16 AM
To: firewalls@...
Subject: RE: Cisco PIX VPN question...
I am doing this all the times specially after most of our clients
migrate to V7.0
I have a lot of drafts which are working , just email me if you still
need them ...
Thanks ,,,
Mohamed Farid ,,
Telecommunication & Security Department Manager ,,,
MSCC ( www.mscc.com.eg )
-----Original Message-----
From: listbounce@... [mailto:listbounce@...]
On Behalf Of Dan Denton
Sent: Tuesday, May 22, 2007 11:33 PM
To: firewalls@...
Subject: Cisco PIX VPN question...
-----Original Message-----
From: Dan Denton [mailto:ddenton@...]
Sent: Monday, May 21, 2007 1:47 PM
To: 'firewalls@...'
Subject: Cisco PIX VPN question...
Hello list...
I have a PIX 506E and a PIX515E, each at a different location. Each
firewall
has a remote access VPN set up. I'd like to set up a point-to-point VPN
connection between the two so users at one location won't have to use
their
VPN clients unless they're off site. Each firewall only has one outside
and
one inside interface. The 515E is running 7.0 and the 506E is running
6.3.
Does anyone out there have experience on setting up the two vpn
technologies
simultaneously? I don't want to break the existing remote access vpn's.
Dan Denton
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
* * * * * * * * * * * * * * * * * * * * * * * * * * *
This e-mail (including attachments) is classified as Mediterranean Smart
Cards Company confidential and proprietary information
The recipient hereby is committed to hold in strict confidence the contents
of this (e-mail, document, and information) and not to disclose to any third
party without the prior written consent of Mediterranean Smart Cards
Company.
Recipient will be held liable for any unauthorized disclosure.
It is intended solely for the addressee. Unless you are the addressee, you
may not read, copy, use or store this e-mail in any way, or permit others
to.
If you have received it in error, please notify the sender by return e-mail
and delete the message in its entirety, including any attachments
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
* * * * * * * * * * * * * * * * * * * * * * * * * * *
net3 earlier. I was missing a few NAT exemption rules, and now that seems to
work fine. My next and last issue seems to be getting to net1, 2, or 3 while
connected by remote access vpn client to pix1 from the outside. When viewing
the PDM, it appears that the pool of addresses assigned to VPN clients is
associated with the outside interface. When I attempt to add an IPSEC rule
to allow traffic from the VPN pool to traverse the VPN, I get a message
saying communication isn't allowed between interfaces with the same security
level. I think in 7.0 this is remedied with the "same-security-traffic"
command, but 6.3 doesn't seem to have this. Is this a valid workaround, and
is there a similar version of this command for pix 6.3?
-----Original Message-----
From: Dan Denton [mailto:ddenton@...]
Sent: Tuesday, May 29, 2007 10:03 AM
To: 'Mohamed Farid'; 'firewalls@...'
Subject: RE: Cisco PIX VPN question...
Thanks to all who have responded. I've made some progress but hit another
bump in the road. Here's my network layout..
[net2]
[office net]--[pix1]------<VPN>------[pix2]---[net1]---[pix3]/
\
[net3]
I can get to any host on net1 without any trouble, but I cannot get to net2
or net3. Connection attempts don't seem to go anywhere, and nothing (for the
connections in question) shows up in the logs from any of the pix's. The
only thing out of the ordinary I've noticed in that in the PDM for pix1
under the IPSEC rules detailing each of the target networks to be protected,
the IPSEC rules for net2 and net3 have (Null Rule) next to them.
Can anyone tell me why this might be the case? Also, I can connect to pix2
with a vpn client and hit net2 and net3, so I atleast know connectivity
isn't an issue. Thanks again...
-----Original Message-----
From: listbounce@... [mailto:listbounce@...] On
Behalf Of Mohamed Farid
Sent: Sunday, May 27, 2007 1:16 AM
To: firewalls@...
Subject: RE: Cisco PIX VPN question...
I am doing this all the times specially after most of our clients
migrate to V7.0
I have a lot of drafts which are working , just email me if you still
need them ...
Thanks ,,,
Mohamed Farid ,,
Telecommunication & Security Department Manager ,,,
MSCC ( www.mscc.com.eg )
-----Original Message-----
From: listbounce@... [mailto:listbounce@...]
On Behalf Of Dan Denton
Sent: Tuesday, May 22, 2007 11:33 PM
To: firewalls@...
Subject: Cisco PIX VPN question...
-----Original Message-----
From: Dan Denton [mailto:ddenton@...]
Sent: Monday, May 21, 2007 1:47 PM
To: 'firewalls@...'
Subject: Cisco PIX VPN question...
Hello list...
I have a PIX 506E and a PIX515E, each at a different location. Each
firewall
has a remote access VPN set up. I'd like to set up a point-to-point VPN
connection between the two so users at one location won't have to use
their
VPN clients unless they're off site. Each firewall only has one outside
and
one inside interface. The 515E is running 7.0 and the 506E is running
6.3.
Does anyone out there have experience on setting up the two vpn
technologies
simultaneously? I don't want to break the existing remote access vpn's.
Dan Denton
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
* * * * * * * * * * * * * * * * * * * * * * * * * * *
This e-mail (including attachments) is classified as Mediterranean Smart
Cards Company confidential and proprietary information
The recipient hereby is committed to hold in strict confidence the contents
of this (e-mail, document, and information) and not to disclose to any third
party without the prior written consent of Mediterranean Smart Cards
Company.
Recipient will be held liable for any unauthorized disclosure.
It is intended solely for the addressee. Unless you are the addressee, you
may not read, copy, use or store this e-mail in any way, or permit others
to.
If you have received it in error, please notify the sender by return e-mail
and delete the message in its entirety, including any attachments
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
* * * * * * * * * * * * * * * * * * * * * * * * * * *
« Return to Thread: Cisco PIX VPN question...
| Free embeddable forum powered by Nabble | Forum Help |
