VPN LAN to LAN

["Anand Subramanian" <anand.sowmya () gmail com>]

Hello All,

Following is my scenario.

3550 Switch (10.5.25.50) -> (inside 10.5.25.1) PIX1 (outside 10.5.26.254) ->
Internet ->
(outside 172.25.34.7) PIX2 (inside 10.80.2.7) -> 3550 Switch (10.80.2.5,
10.80.1.10, 10.80.0.10)

Based on the above scenario, I have established a VPN tunnel from
10.5.25.0network to
10.80.2.0 network. It works perfectly fine.

1) 3550 switch with IP address 10.5.25.50 has default gateway as 10.5.25.1(PIX1)
2) 3550 switch with IP address 10.80.2.5 has route statements to
10.5.25.0through
10.80.2.7
3) PIX1 has routes to 172.25.34.0 and 10.80.2.0 defined.
4) PIX2 has routes defined for 10.5.25.0 and 10.5.26.0
5) PIX2 has routes defined for 10.80.1.0 and 10.80.0.0 pointing to 10.80.2.5
6) All subnets are /24 subnets throughout.
7) All PIXes run ver 6.3.

Please find below the VPN configurations for PIX1 and PIX2.

The thing that really bothers me is that the existing configuration will
establish three VPN tunnels as follows.

1) 10.5.25.0 to 10.80.2.0
2) 10.5.25.0 to 10.80.1.0
3) 10.5.25.0 to 10.80.0.0

I am hoping that there is a way out of this and I would be able to route
traffic from 10.5.25.0 to 10.80.1.0 with only one VPN tunnel between
10.5.25.0 and 10.80.2.0

I have searched all over the internet for any sample configuration and I am
not able to find it. There should be an easy way to do this. Please help.

PIX1 configuration

object-group network Remote-Networks
 network-object 10.80.2.0 255.255.255.0
 network-object 10.80.1.0 255.255.255.0
 network-object 10.80.0.0 255.255.255.0

object-group network NoNAT-Networks
 network-object 10.80.2.0 255.255.255.0
 network-object 10.80.1.0 255.255.255.0
 network-object 10.80.0.0 255.255.255.0

access-list inside_outbound_nat0_acl permit ip 10.5.25.0
255.255.255.0object-group NoNAT-Networks
access-list Remote_cryptomap_20 permit ip 10.5.25.0
255.255.255.0object-group Remote-Networks

nat (inside) 0 access-list inside_outbound_nat0_acl

sysopt connection permit-ipsec
isakmp enable outside
isakmp key REMOTENET address 172.25.34.7 netmask 255.255.255.255
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map DCA 20 ipsec-isakmp
crypto map DCA 20 match address Remote_cryptomap_20
crypto map DCA 20 set peer 172.25.34.7
crypto map DCA 20 set transform-set ESP-3DES-MD5
crypto map DCA interface outside

route outside 0.0.0.0 0.0.0.0 10.5.26.1

PIX2 configuration

object-group network Local-Networks
 network-object 10.80.2.0 255.255.255.0
 network-object 10.80.1.0 255.255.255.0
 network-object 10.80.0.0 255.255.255.0

access-list inside_outbound_nat0_acl permit ip object-group Local-Networks
10.5.25.0 255.255.255.0
access-list Corp_cryptomap_20 permit ip object-group Local-Networks
10.5.25.0 255.255.255.0

nat (inside) 0 access-list inside_outbound_nat0_acl

sysopt connection permit-ipsec
isakmp enable outside
isakmp key REMOTENET address 10.5.26.254 netmask 255.255.255.255
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map Management 20 ipsec-isakmp
crypto map Management 20 match address Corp_cryptomap_20
crypto map Management 20 set peer 10.5.26.254
crypto map Management 20 set transform-set ESP-3DES-MD5

route outside 10.5.25.0 255.255.255.0 172.25.34.1
route outside 10.5.26.0 255.255.255.0 172.25.34.1

With regards,
Anand

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards