VPN with Cisco client

refram — Mon, 11 Mar 2019 10:37:36 GMT

I have set up a VPN with a PIX 506 v. 6.3(5). When I connect through the internet using a Cisco VPN client, the connection is made but I can't ping anything behind the firewall.

Just to test, I set up the PIX in a lab, put the public IP of the gateway on my computer and connected the computer to the outside interface of the PIX. I then connected using the VPN client software and I could ping behind the firewall just fine. It's just when I'm going through the internet that it's a problem. My configuration follows:

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password **** encrypted

passwd **** encrypted

hostname IPcommPIX

domain-name computerdata.com

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list inside_outbound_nat0_acl permit ip any 172.27.0.0 255.255.255.0

access-list inside_outbound_nat0_acl permit ip 172.27.0.0 255.255.255.0 172.27.0.16 255.255.255.240

access-list outside_cryptomap_dyn_20 permit ip any 172.27.0.16 255.255.255.240

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside <outside IP> <mask>

ip address inside <inside IP> <mask>

ip audit info action alarm

ip audit attack action alarm

ip local pool CDI1 <range of internal IPs> mask <mask>

pdm location 172.27.0.0 255.255.255.0 outside

pdm location 172.27.0.16 255.255.255.240 outside

pdm history enablearp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

route outside 0.0.0.0 0.0.0.0 <outside gateway IP> 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 172.27.0.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

isakmp enable outside

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

vpngroup computerdata address-pool CDI1

vpngroup computerdata dns-server 209.x.x.4 4.2.2.2

vpngroup computerdata idle-time 1800

vpngroup computerdata password ********

telnet timeout 5

ssh timeout 5

console timeout 0

terminal width 80

Cryptochecksum:xxx

: end

Thoughts?

Re: VPN with Cisco client

acomiskey — Fri, 29 Jun 2007 19:18:02 GMT

add...

isakmp nat-traversal

Please rate helpful posts

Re: VPN with Cisco client

refram — Fri, 29 Jun 2007 19:42:31 GMT

Holey Moley! Fast AND fixed the issue. You rock!

Re: VPN with Cisco client

acomiskey — Fri, 29 Jun 2007 19:44:27 GMT

Thanks, it's the #1 RA Vpn issue so it's an easy on to pick out.

Re: VPN with Cisco client

refram — Sat, 30 Jun 2007 11:47:09 GMT

Okay, so then here's the thing. I'll admit right here in print that I am not a complete "everything-there-is-to-know-about-Cisco-I-know" kind of guy. I didn't do the VPN from scratch, I used the wizard. If this is such a common problem, why isn't the wizard taking it into account? I know, I know, you always ask for it when you use a wizard instead of a CLI. But DUDE! I mean, this apparently happens a lot and it's just one crummy line that fixes the whole thing!

Re: VPN with Cisco client

acomiskey — Sat, 30 Jun 2007 12:24:29 GMT

Well thats a good question maybe someone from Cisco can answer. Here's the doc on common vpn problems...

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml

topic Re: VPN with Cisco client in Network Security

VPN with Cisco client

Re: VPN with Cisco client

Re: VPN with Cisco client

Re: VPN with Cisco client

Re: VPN with Cisco client

Re: VPN with Cisco client