Case Studies
In the previous section, you have seen how to configure and troubleshoot both LAN-to-LAN and Remote Access VPN on the PIX firewall. In this section, you will examine a new feature in PIX version 7.0 called Hairpinning, which allows the PIX firewall to act as a hub for Remote Access VPN client and as a LAN-to-LAN peer. With Hairpinning, PIX allows the traffic to route back on the same interface it receives from. The case study is implemented based on Figure 7-1 and on the configurations that are performed in the previous sections from both LAN-to-LAN and Remote Access VPN client.
The goal of this case study is to ensure that the Remote Access VPN client laptop (see Figure 7-1) can make a VPN connection to PIX-A, and access the private network (192.168.1.0/24). Additionally, be sure this Remote Access VPN client can access the resources on PIX-B private network (192.168.2.0/24) also. This can be accomplished by creating a LAN-to-LAN between PIX-A and PIX-B for the VPN client.
Before you attempt to configure Hairpinning, you must ensure that both VPN client and LAN-to-LAN connections work independently. The configuration for Hairpinning involves reconfiguring hub PIX (PIX-A) and LAN-to-LAN peer (PIX-B). You do not need to make any configuration changes on the VPN client.
Work through the following steps to configure the Hub PIX (PIX-A):
Step 1. Review the configuration for both LAN-to-LAN and Remote Access VPN connection configurations on PIX-A. Example 7-54 shows the configuration you have built up so far on the PIX-A for both LAN-to-LAN and Remote Access VPN connection.
Example 7-54. Current Configuration on the PIX-A for both LAN-to-LAN and Remote Access VPN Connections
PIX-A# show running-config
! Showing only the LAN-to-LAN and Remote Access VPN connections on PIX-A
interface Ethernet0
nameif outside
security-level 0
ip address 172.16.172.164 255.255.255.0
!
interface Ethernet1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
! The following access-list is used for LAN-to-LAN tunnel
access-list 101 extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0
255.255.255.0
! The following pool assigns the IP address to the VPN Client for the Remote
! Access VPN connection
ip local pool mypool 192.168.0.1-192.168.0.100
route outside 0.0.0.0 0.0.0.0 172.16.172.1 1
! The following lines are used to define the WINS and DNS Server IP
group-policy mypolicy internal
group-policy mypolicy attributes
wins-server value 172.16.172.166
dns-server value 172.16.172.165
! The following username is defined for the Remote Access VPN
username cisco password 3USUcOPFUiMCO4Jk encrypted
! The following transform set is used for both LAN-to-LAN and Remote Access VPN
! connections.
crypto ipsec transform-set myset esp-3des esp-md5-hmac
! This dynamic crypto map is for Remote Access VPN
crypto dynamic-map mydyn 1 set transform-set myset
crypto dynamic-map mydyn 1 set reverse-route
! The following lines are for LAN-to-LAN crypto map
crypto map mymap 10 match address 101
crypto map mymap 10 set peer 172.16.172.163
crypto map mymap 10 set transform-set myset
! The following crypto map is for Remote Access VPN
crypto map mymap 20 ipsec-isakmp dynamic mydyn
! Crypto map is applied with the following line on the outside interface.
crypto map mymap interface outside
! ISAKMP is applied on the outside interface
isakmp enable outside
! Following lines are for ISAKMP policy 10 (user defined)
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 43200
! ISAKMP policy 65535 is the default policy on PIX
isakmp policy 65535 authentication pre-share
isakmp policy 65535 encryption 3des
isakmp policy 65535 hash sha
isakmp policy 65535 group 2
isakmp policy 65535 lifetime 86400
! Tunnel-group name with the Peer IP address is for LAN-to-LAN tunnel
tunnel-group 172.16.172.163 type ipsec-l2l
tunnel-group 172.16.172.163 ipsec-attributes
pre-shared-key *
! Tunnel-group name mygroup is the tunnel-group for Remote Access VPN
tunnel-group mygroup type ipsec-ra
tunnel-group mygroup general-attributes
address-pool mypool
default-group-policy mypolicy
tunnel-group mygroup ipsec-attributes
pre-shared-key *
!
PIX-A#
Step 2. Modify access-list 101 to allow the IP local pool address for the LAN-to-LAN tunnel. This is shown in Example 7-55.
Example 7-55. Access-list Modification on the Hub PIX (PIX-A)
PIX-A# show running-config access-list 101
access-list 101 extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0
255.255.255.0
PIX-A# configure terminal
! The following line adds the IP local Pool address for the LAN-to-LAN tunnel,
! so that Remote Access VPN client can pass traffic through this LAN-to-LAN
! tunnel to the private network of the PIX-B firewall.
PIX-A(config)# access-list 101 extended permit ip 192.168.0.0 255.255.255.0
192.168.2.0 255.255.255.0
PIX-A(config)# show running-config access-list 101
access-list 101 extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0
255.255.255.0
access-list 101 extended permit ip 192.168.0.0 255.255.255.0 192.168.2.0
255.255.255.0
PIX-A(config)#
Step 3. Enable Hairpinning on the outside interface with the following command:
PIX-A(config)# same-security-traffic permit intra-interface
Work through the following steps to configure the LAN-to-LAN peer (PIX-B):
Step 1. Be sure that the PIX-B can establish a tunnel with the HUB PIX (PIX-A), and that their respective private networks can pass traffic through the tunnel.
Step 2. Add an access-list entry to access-list 101 to add the VPN client network as interesting traffic for VPN tunnel on PIX-B. The VPN client network is the IP pool defined on the PIX-A firewall for the VPN tunnel. For this setup, the IP pool defined on the PIX-A includes address 192.168.0.1-192.168.0.100. Example 7-56 shows the access-list configuration changes needed on PIX-B.
Example 7-56. Access-list Configuration Changes Needed on PIX-B
! Check the existing Access-list for the LAN-to-LAN tunnel
PIX-B(config)# show running-config access-list
access-list 101 extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0
255.255.255.0
! The following line adds network 192.168.0.0/24, which is for the VPN client
! network
PIX-B(config)# access-list 101 extended permit ip 192.168.2.0 255.255.255.0
192.168.0.0 255.255.255.0
! Verify the access-list configuration on PIX-B
PIX-B(config)# show running-config access-list
access-list 101 extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0
255.255.255.0
access-list 101 extended permit ip 192.168.1.0 255.255.255.0 192.168.0.0
255.255.255.0
PIX-B(config)#