08-21-2006 08:21 AM - edited 02-21-2020 10:16 AM
Its a client to PIX setup and i need to be able to connect to a server on the LAN. when i connect woith cisco vpn client it authentiate right away and i get an address from the VPN pool but i cant access or ping anything, not even the LAN interface on the pix it self. i thinkl it might be a NAT 0 access-list issue.The network im connecting to is a 192.168.1.0 /24. The network im connecting from is the same. the address pool is also within 192.168.1.0
PIX Version 6.3(5)
access-list outside_in permit tcp any interface outside eq smtp
access-list outside_in permit tcp any interface outside eq https
access-list outside_in permit tcp any interface outside eq www
access-list inside_outbound_nat0_acl permit ip any 192.168.2.128 255.255.255.192
access-list inside_outbound_nat0_acl permit ip any 192.168.1.128 255.255.255.192
access-list outside_cryptomap_dyn_20 permit ip any 192.168.1.128 255.255.255.192
access-list outside_cryptomap_dyn_40 permit ip any 192.168.1.128 255.255.255.192
access-list outside_cryptomap_dyn_60 permit ip any 192.168.1.128 255.255.255.192
access-list outside_cryptomap_dyn_80 permit ip any 192.168.2.128 255.255.255.192
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool autopool2 192.168.2.150-192.168.2.160
pdm location 192.168.1.200 255.255.255.255 inside
pdm location 192.168.1.128 255.255.255.192 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface smtp 192.168.1.200 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface https 192.168.1.200 https netmask 255.255.255.255 0 0
static (inside,outside) tcp interface www 192.168.1.200 www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 2874 192.168.1.200 2874 netmask 255.255.255.255 0 0
access-group outside_in in interface outside
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 60 match address outside_cryptomap_dyn_60
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 80 match address outside_cryptomap_dyn_80
crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup autogrp address-pool autopool2
vpngroup autogrp dns-server 193.162.153.164 194.239.134.83
vpngroup autogrp idle-time 1800
vpngroup autogrp password ********
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.33 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
: end
pixfirewall(config)#
08-21-2006 08:40 AM
Maybe you should creat a different VPN pool that is not in the same address space..
ip local pool autopool3 10.1.1.1-10.1.1.10
no vpngroup autogrp address-pool autopool2
vpngroup autogrp address-pool autopool3
08-21-2006 10:06 AM
actually i already tried that. as you can see the pool is not as i said 192.168.1.0 but 192.168.2.0 also why its named "autopool2" and not the previouse "autopool".
nevertheless its working from my home. when we tested this i was trying it from a neighbor company. im also using 192.168.1.0 at my home but.. well its working now.
08-21-2006 11:06 AM
1) Access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
2) isakmp nat-traversal 3600
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide