Firewall Wizards mailing list archives
Re: VPN LAN to LAN
From: Prabhu Gurumurthy <pgurumu () gmail com>
Date: Fri, 22 Sep 2006 15:05:40 -0700
I dont think there will be any other solution apart from /22 being the one, which was provided to you earlier. Again please state the problem that you are facing. What is wrong with having multiple SA's it is perfectly valid according to the RFC is it not?. Prabhu - Anand Subramanian wrote:
The way I can prove that there are 3 SAs established is when I execute the command "sh crypto ipsec sa". I believe that there will be an sa associated with every tunnel being established. Am I wrong? I would like to have an sa between 10.5.25.0 <http://10.5.25.0> and 10.80.2.0 <http://10.80.2.0> and still be able to reach 10.80.0.0 <http://10.80.0.0> and 10.80.1.0 <http://10.80.1.0>. Please let me know if you need any further clarifications. Regards, Anand On 9/20/06, *vbwilliams () neb rr com <mailto:vbwilliams () neb rr com>* <vbwilliams () neb rr com <mailto:vbwilliams () neb rr com>> wrote: I guess I don't understand what your question is. What exactly doesn't work? And how are you proving that there is 3 VPN tunnels being established and not one? ----- Original Message ----- From: Anand Subramanian <anand.sowmya () gmail com <mailto:anand.sowmya () gmail com>> Date: Wednesday, September 20, 2006 7:55 am Subject: [fw-wiz] VPN LAN to LAN To: firewall-wizards () listserv cybertrust com <mailto:firewall-wizards () listserv cybertrust com> > Hello All, > > Following is my scenario. > > 3550 Switch (10.5.25.50 <http://10.5.25.50>) -> (inside 10.5.25.1 <http://10.5.25.1>) PIX1 (outside > 10.5.26.254 <http://10.5.26.254>) -> > Internet -> > (outside 172.25.34.7 <http://172.25.34.7>) PIX2 (inside 10.80.2.7 <http://10.80.2.7>) -> 3550 Switch > (10.80.2.5 <http://10.80.2.5>,10.80.1.10 <http://10.80.1.10>, 10.80.0.10 <http://10.80.0.10>) > > Based on the above scenario, I have established a VPN tunnel from > 10.5.25.0network to > 10.80.2.0 <http://10.80.2.0> network. It works perfectly fine. > > 1) 3550 switch with IP address 10.5.25.50 <http://10.5.25.50> has default gateway as > 10.5.25.1(PIX1)2) 3550 switch with IP address 10.80.2.5 <http://10.80.2.5> has route > statements to > 10.5.25.0through > 10.80.2.7 <http://10.80.2.7> > 3) PIX1 has routes to 172.25.34.0 <http://172.25.34.0> and 10.80.2.0 <http://10.80.2.0> defined. > 4) PIX2 has routes defined for 10.5.25.0 <http://10.5.25.0> and 10.5.26.0 <http://10.5.26.0> > 5) PIX2 has routes defined for 10.80.1.0 <http://10.80.1.0> and 10.80.0.0 <http://10.80.0.0> pointing to > 10.80.2.56 <http://10.80.2.56>) All subnets are /24 subnets throughout. > 7) All PIXes run ver 6.3. > > Please find below the VPN configurations for PIX1 and PIX2. > > The thing that really bothers me is that the existing configuration > willestablish three VPN tunnels as follows. > > 1) 10.5.25.0 <http://10.5.25.0> to 10.80.2.0 <http://10.80.2.0> > 2) 10.5.25.0 <http://10.5.25.0> to 10.80.1.0 <http://10.80.1.0> > 3) 10.5.25.0 <http://10.5.25.0> to 10.80.0.0 <http://10.80.0.0> > > I am hoping that there is a way out of this and I would be able to > routetraffic from 10.5.25.0 <http://10.5.25.0> to 10.80.1.0 <http://10.80.1.0> with only one VPN tunnel > between10.5.25.0 and 10.80.2.0 <http://10.80.2.0> > > I have searched all over the internet for any sample configuration > and I am > not able to find it. There should be an easy way to do this. Please > help. > PIX1 configuration > > object-group network Remote-Networks > network-object 10.80.2.0 <http://10.80.2.0> 255.255.255.0 <http://255.255.255.0> > network-object 10.80.1.0 <http://10.80.1.0> 255.255.255.0 <http://255.255.255.0> > network-object 10.80.0.0 <http://10.80.0.0> 255.255.255.0 <http://255.255.255.0> > > object-group network NoNAT-Networks > network-object 10.80.2.0 <http://10.80.2.0> 255.255.255.0 <http://255.255.255.0> > network-object 10.80.1.0 <http://10.80.1.0> 255.255.255.0 <http://255.255.255.0> > network-object 10.80.0.0 <http://10.80.0.0> 255.255.255.0 <http://255.255.255.0> > > access-list inside_outbound_nat0_acl permit ip 10.5.25.0 <http://10.5.25.0> > 255.255.255.0object-group NoNAT-Networks > access-list Remote_cryptomap_20 permit ip 10.5.25.0 <http://10.5.25.0> > 255.255.255.0object-group Remote-Networks > > nat (inside) 0 access-list inside_outbound_nat0_acl > > sysopt connection permit-ipsec > isakmp enable outside > isakmp key REMOTENET address 172.25.34.7 <http://172.25.34.7> netmask 255.255.255.255 <http://255.255.255.255> > isakmp identity address > isakmp policy 20 authentication pre-share > isakmp policy 20 encryption 3des > isakmp policy 20 hash md5 > isakmp policy 20 group 2 > isakmp policy 20 lifetime 86400 > crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac > crypto map DCA 20 ipsec-isakmp > crypto map DCA 20 match address Remote_cryptomap_20 > crypto map DCA 20 set peer 172.25.34.7 <http://172.25.34.7> > crypto map DCA 20 set transform-set ESP-3DES-MD5 > crypto map DCA interface outside > > route outside 0.0.0.0 <http://0.0.0.0> 0.0.0.0 <http://0.0.0.0> 10.5.26.1 <http://10.5.26.1> > > PIX2 configuration > > object-group network Local-Networks > network-object 10.80.2.0 <http://10.80.2.0> 255.255.255.0 <http://255.255.255.0> > network-object 10.80.1.0 <http://10.80.1.0> 255.255.255.0 <http://255.255.255.0> > network-object 10.80.0.0 <http://10.80.0.0> 255.255.255.0 <http://255.255.255.0> > > access-list inside_outbound_nat0_acl permit ip object-group Local- > Networks10.5.25.0 255.255.255.0 <http://255.255.255.0> > access-list Corp_cryptomap_20 permit ip object-group Local-Networks > 10.5.25.0 <http://10.5.25.0> 255.255.255.0 <http://255.255.255.0> > > nat (inside) 0 access-list inside_outbound_nat0_acl > > sysopt connection permit-ipsec > isakmp enable outside > isakmp key REMOTENET address 10.5.26.254 <http://10.5.26.254> netmask 255.255.255.255 <http://255.255.255.255> > isakmp identity address > isakmp policy 20 authentication pre-share > isakmp policy 20 encryption 3des > isakmp policy 20 hash md5 > isakmp policy 20 group 2 > isakmp policy 20 lifetime 86400 > crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac > crypto map Management 20 ipsec-isakmp > crypto map Management 20 match address Corp_cryptomap_20 > crypto map Management 20 set peer 10.5.26.254 <http://10.5.26.254> > crypto map Management 20 set transform-set ESP-3DES-MD5 > > route outside 10.5.25.0 <http://10.5.25.0> 255.255.255.0 <http://255.255.255.0> 172.25.34.1 <http://172.25.34.1> > route outside 10.5.26.0 <http://10.5.26.0> 255.255.255.0 <http://255.255.255.0> 172.25.34.1 <http://172.25.34.1> > > With regards, > Anand > _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com <mailto:firewall-wizards () listserv icsalabs com> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards ------------------------------------------------------------------------ _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- VPN LAN to LAN Anand Subramanian (Sep 20)
- Re: VPN LAN to LAN vbwilliams (Sep 20)
- Re: VPN LAN to LAN Anand Subramanian (Sep 22)
- Re: VPN LAN to LAN Prabhu Gurumurthy (Sep 23)
- Re: VPN LAN to LAN Anand Subramanian (Sep 22)
- Re: VPN LAN to LAN Krzysztof Pior (Sep 20)
- Re: VPN LAN to LAN Anand Subramanian (Sep 22)
- Re: VPN LAN to LAN vbwilliams (Sep 20)