topic Re: pix 501 vpn problem in Network Security

pix 501 vpn problem

verstand76 — Fri, 21 Feb 2020 11:37:50 GMT

I can connect but don't see any network resources.

The Vpn Client, ver:5.0.01, is running on an xp machine.

The network it is connecting to is behind a pix501- Ver. 6.3(5).

When the connection is made the remote client gets an assigned address from the vpn pool 192.168.2.10- 192.168.2.25:

The vpn client log shows:

Line:45 18:07:27.898 08/12/09 Sev=Info/4 CM/0x63100034

The Virtual Adapter was enabled:

IP=192.168.2.10/255.255.255.0

DNS=0.0.0.0,0.0.0.0

WINS=0.0.0.0,0.0.0.0

Domain=

Split DNS Names=

This is followed by these lines:

46 18:07:27.968 08/12/09 Sev=Warning/2 CVPND/0xE3400013

AddRoute failed to add a route: code 87

Destination 192.168.1.255

Netmask 255.255.255.255

Gateway 192.168.2.1

Interface 192.168.2.10

47 18:07:27.968 08/12/09 Sev=Warning/2 CM/0xA3100024

Unable to add route. Network: c0a801ff, Netmask: ffffffff, Interface: c0a8020a, Gateway: c0a80201.

48 18:07:28.178 08/12/09 Sev=Info/4 CM/0x63100038

Successfully saved route changes to file.

49 18:07:28.198 08/12/09 Sev=Info/6 CM/0x63100036

The routing table was updated for the Virtual Adapter

50 18:07:29.760 08/12/09 Sev=Info/4 CM/0x6310001A

One secure connection established

* ...

I can ping, from the remote client, to an inside ip behind the pix even

when I get the "add route failure" shown above, but i can't ping the computer name.

I enabled NAT traversal using the PDM, But when I connect with this option I get the error that the "Remote end is NOT behind a NAT device This end IS behind a NAT device" and ping fails.

Behind the pix are a few computers with no central server so I'm not passing a WINS server to the remote client.

I set up the vpn with the wizard.

Attached is the config file.

Any suggestions would be appreciated.

Regards,

Hugh

Re: pix 501 vpn problem

JORGE RODRIGUEZ — Thu, 13 Aug 2009 18:04:27 GMT

Add to your config NAT-T and try again

pix(config)#isakmp nat-traversal

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#Solution1

Regards

Re: pix 501 vpn problem

verstand76 — Thu, 13 Aug 2009 18:14:54 GMT

I did try : isakmp nat-traversal but got the error I noted in my post. I even couldn't ping then. I'll try again. Do I need to add any seconds or just leave blank?

Re: pix 501 vpn problem

JORGE RODRIGUEZ — Thu, 13 Aug 2009 19:07:15 GMT

Could you correct your vpn pool to be consistant with your nonat exempt rule prior to troubleshooting fruther.

you have /28 pool network, that gives 14 hosts and range should start at host .1 to .14 , your config have ip local pool vpp1 192.168.2.10-192.168.2.25

your vpn pool shoudl be:

ip local pool vpp1 192.168.2.1-192.168.2.14

as for the NAT-T the 20 is default so automatically will be added.

[edit]

after you correct vpn pool network range try vpn client and access resources in the 192.168.1.0/24 network.

Post results

Re: pix 501 vpn problem

verstand76 — Thu, 13 Aug 2009 19:29:48 GMT

ok, I'll will change the pool.

I just tried the nat-t but still nothing to "see". I was able to ping inside though, so I must of had some other config setting when ping failed.

I'm still getting the "add route failure" in the client log; is this significant?

the client log shows connected and continues with line after line of

"Sent a keepalive on the IPSec SA"

I'll post new results after pool change.

Thanks,

hugh

Re: pix 501 vpn problem

JORGE RODRIGUEZ — Thu, 13 Aug 2009 19:32:37 GMT

Hugh, correct the pool first and try again.

Re: pix 501 vpn problem

verstand76 — Thu, 13 Aug 2009 19:38:05 GMT

ok, i'm on my way to try the new pool.

hugh

Re: pix 501 vpn problem

verstand76 — Thu, 13 Aug 2009 20:46:49 GMT

I changed the pool. Still can't see computer behind pix.

The ipconfig shows for cisco adapter an ip of 192.168.2.1 but has no default gateway.

In Route Details window: Local LAN routes is empty and Secured routes has 192.168.1.0 255.255.255.0

bytes sent and received show some in the client statistics but if i check the cisco vpn network via network connections it shows 0 bytes sent and received.

VDP port 4500 and says local lan disabled ; i don't understand this as I have 'allow local lan access' checked in the client set up.

I'm still getting the "add route failure"

hugh

Re: pix 501 vpn problem

JORGE RODRIGUEZ — Fri, 14 Aug 2009 01:10:22 GMT

Hugh, ok you corrected the vpn pool, looking at the config seems to be ok split tunnle alcl etc.. which makes me think perhaps vpn client itself or machine, have you tried different version of vpn client , or even from a different machine.

post again an updated config for a second look .

Regards

Re: pix 501 vpn problem

verstand76 — Fri, 14 Aug 2009 13:25:17 GMT

Yes, I've tried client ver. 4.9.61 on a Mac OS X 10.5.7; it connects but I see nothing, nor can I ping.

I have cisco vpn client 5.0.00.0340 which I can try from windows. What do you think?

The windows os I've tried so far is xp home service pack 2 with cisco client 5.0.01 as noted in first post.

I can try from another windows os xp home service pack 3.

attached is latest config

thanks for working on this

Hugh

Re: pix 501 vpn problem

JORGE RODRIGUEZ — Fri, 14 Aug 2009 15:42:42 GMT

Sorry..I did not notice the crypto acl is incorrect , change it to be /28, you have it with a /27.

remove this:

no access-list outside_cryptomap_dyn_20 permit ip any 192.168.2.0 255.255.255.224

replace with:

permit ip any 192.168.2.0 255.255.255.224

access-list outside_cryptomap_dyn_20 permit ip any 192.168.2.0 255.255.255.240

post if still issue.

Re: pix 501 vpn problem

verstand76 — Fri, 14 Aug 2009 17:35:57 GMT

ok, i need to get this clear:

you mean replace the line:

access-list outside_cryptomap_dyn_20 permit ip any 192.168.2.0 255.255.255.224

with this line:

access-list outside_cryptomap_dyn_20 permit ip any 192.168.2.0 255.255.255.240

hugh

Re: pix 501 vpn problem

JORGE RODRIGUEZ — Fri, 14 Aug 2009 18:40:24 GMT

Yes Hugh, I placed the no in the line.

no access-list outside_cryptomap_dyn_20 permit ip any 192.168.2.0 255.255.255.224

and add to your config

access-list outside_cryptomap_dyn_20 permit ip any 192.168.2.0 255.255.255.240

we just need to make config clear and consistant to rule out vpn config discrepancies in your issue.

Regards

Re: pix 501 vpn problem

verstand76 — Fri, 14 Aug 2009 18:58:59 GMT

yes, I see that the 'no' is part of the command. It did remove the line. I'm about to test now.

I noticed in viewing configuration settings through the PDM that under VPN/IPSec Rules in the Remote Side panel (detail view) should both be 192.168.2.0/28 ?

After I changed access-list outside using the command line tool, this panel had 192.168.2.0/28 but below it was 192.168.2.0/27.

I changed this /27 via Edit and saved. an error message came up but it now shows both as 192.168.2.0/28.

I presume this is correct.

hugh

Re: pix 501 vpn problem

JORGE RODRIGUEZ — Fri, 14 Aug 2009 19:30:22 GMT

Yes, try testing again.. after that crypto acl correction at least the vpn config is consistant and narrow down troubleshooting effort.

Make also sure that hosts behind the PIX the 192.168.1.0 network don't have any firewalls turned on so that vpn pool network can ping those hosts by ip.

Re: pix 501 vpn problem

JORGE RODRIGUEZ — Mon, 17 Aug 2009 16:01:39 GMT

Hugh, whats the progress on your issue.

Re: pix 501 vpn problem

verstand76 — Mon, 17 Aug 2009 16:42:57 GMT

Success, I couldn't believe it. It was an enjoyable experience.

I made only one change that I can see by comparing the config files; I removed a specific computer that was in the list of internal networks.

The lines were:

pdm location x.x.x.x 255.255.255.255 inside

http x.x.x x. 255.255.255.255 inside

I'm have no idea if this did it or not. Maybe the problem was that it was in the same subnet as the main http network? I can test later.

I haven't had the same luck with the mac os x vpn client. I can connect and get an ip from the vpn pool but can't ping or find the internal networks. I checked the the routes logged in the mac using netstat but I don't see the ip given by the pix to the mac. If it is connected it must have the route, or at least it seems it should. Maybe this behavior by netstat is normal for a vpn connection.

I was going to work on this later today after other tasks.

Thank you for your help and patience in walking me through this.

regards,

hugh

Re: pix 501 vpn problem

verstand76 — Mon, 17 Aug 2009 16:57:50 GMT

I forgot to mention that even when I connected successfully via windows vpn client, I still got the "addRoute failed to add." ( error code 87 in the vpn client log)

hugh

Re: pix 501 vpn problem

JORGE RODRIGUEZ — Mon, 17 Aug 2009 18:42:08 GMT

Hugh, post an updated config again.

When you say success, then you still get the same error code, what is it ? is it working or not?

In any case PLS post config once again to see where we are, also add to your config prior posting these two statement for testing the access to PIX inside interface IP from RA VPN client.

(config)#management-access inside

(config)#telnet 192.168.2.0 255.255.255.240 inside

Re: pix 501 vpn problem

verstand76 — Mon, 17 Aug 2009 19:41:40 GMT

I'll have to get back to you later with the config and then I can do the changes as suggested. Right now i'm pressed by the usual flood of 'sudden' monday deadlines.

Sorry, I thought I was clear. I can connect and view shared resources via the windows os vpn client. This is what i was unable to do before. while connected I then checked the vpn client log to see if the 'addRoute' error was there and it was.

I concluded that this error was not critical for the problem of viewing the network ( prior to this I had searched the web using "cisco error code 87" and found someone who had a network viewing problem but had solved it and they too still had the "addroute" error. Unfortunately they didn't explain how they solved their problem)

so 'success' meant: yes I can connect and view network resources; but for some reason 'addroute' error still happens

Secondly: I can connect with the mac vpn client but I can't ping internal network nor can i view shared resources behind the pix501. ( both of which I can now do from the windows client)

my line of thought here is it has to do with the mac os X system but I haven't had time to research it yet.

what's your idea behind the testing plan?

Is this something I would monitor from inside the pix?

hugh