vpn client can't see remote office resources while tunneled

[djjazzyjeff]

Hi all. My company has two offices that each use a Pix515UR as a firewall and vpn endpoint with Cisco 26xx router connected to internet T1's. The two offices are connected together via a frame circuit, 1024kb using Cisco 26xx routers. Prior to my arriving here, there was no pvc between the offices, they were connected using a vpn-based WAN over the internet. This all works great but I have a problem. The previous sysadmin had to configure the Pix so that vpn clients from each office when tunneled in could not see hosts in the other office for security reasons. Now with a dedicated pvc I want to allow vpn clients from each office to see the other office's hosts while connected. Clients from my remote office can already do this but clients from the home office cannot. The guy who changed this at the remote site is now gone (I can't ask him abt it)and I can't figure out how to make this work. I know it will be simple, can anyone help? Thx

 

[yizhar]

HI.

Many more details are missing to get the whole picture.

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[djjazzyjeff]

Thx for replying. I'm suspicious the problem lies in here.

sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set avalanche esp-des esp-md5-hmac
crypto dynamic-map dynmap 15 set transform-set avalanche
crypto map XXXXXXXXX 15 ipsec-isakmp dynamic dynmap
crypto map XXXXXXXXX client configuration address initiate
crypto map XXXXXXXXX client configuration address respond
crypto map XXXXXXXXX client authentication partnerauth
crypto map XXXXXXXXX interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp identity address
isakmp policy 21 authentication pre-share
isakmp policy 21 encryption des
isakmp policy 21 hash md5
isakmp policy 21 group 1
isakmp policy 21 lifetime 3600
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption des
isakmp policy 30 hash md5
isakmp policy 30 group 2
isakmp policy 30 lifetime 3600

I can post up other configuration stuff if you want.....Jeff

 

[yizhar]

HI.

Yes, please post more or better all the config.
Do you have "nat 0"?
Do you have related access-list statements?
You should check the pix configurations on both devices.

Are you using client to pix VPN or pix to pix or both?
What is the OS version of each pix?
What is the VPN client version if any?
Please provide more info about your private ip addressing and routing.

> Now with a dedicated pvc ...
But if the PVC is between the perimeters routers (outside of the firewalls) then it should still be considered "dirty" or did I miss anything?
As far as I understand from your first post, the PVC can improve performance and also security, but should not be considered a private link if it is on the public side.

> ... I want to allow vpn clients from each office to see the other office's hosts ...
What do you mean by "see hosts"?
Anyway, I think that VPN should be considered in a similar fashion as normal ports that you open - only allow the minimum traffic that you need. i.e. let VPN clients access only the servers they need instead of the whole network.

What kind of test are you using - ping/telnet/http/MS file sharing, etc?
If you are trying to use MS networking, check for name resolution issues.

Check with syslog messages at level 4 to see if the pix is blocking any traffic. What do you get?

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar