10-30-2007 08:07 AM - edited 02-21-2020 01:45 AM
I am able to connect to my PIX 515e but after I am connected I can't ping across it. I try to ping the inside from a PC that I have directly connected to the outside. Here is the config file, hope this helps.
MTBFirewall(config)# sh run
: Saved
:
PIX Version 7.0(4)
!
hostname MTBFirewall
domain-name default.domain.invalid
enable password xxx
names
!
interface Ethernet0
nameif outside
security-level 0
ip address 209.x.x.x.255.255.0
!
interface Ethernet1
nameif inside
security-level 100
ip address 172.30.4.100 255.255.255.0
!
interface Ethernet2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet3
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet4
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet5
shutdown
no nameif
no security-level
no ip address
!
passwd xxx
ftp mode passive
access-list nonat extended permit ip 172.30.4.0 255.255.255.0 172.30.8.0 255.255.255.0
access-list test extended permit ip 172.30.4.0 255.255.255.0 any
access-list test extended permit ip any 172.30.4.0 255.255.255.0
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
ip local pool vpnpool 172.30.8.1-172.30.8.100 mask 255.255.255.0
no failover
asdm image flash:/asdm
no asdm history enable
arp timeout 14400
nat (inside) 0 access-list nonat
nat (inside) 1 172.30.4.0 255.255.255.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy Administrator internal
group-policy vpncert internal
group-policy vpncert attributes
vpn-idle-timeout 30
username reedd password xxx encrypted
http server enable
http 172.30.4.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp nat-traversal 20
tunnel-group vpncert type ipsec-ra
tunnel-group vpncert general-attributes
address-pool vpnpool
default-group-policy vpncert
tunnel-group vpncert ipsec-attributes
pre-shared-key *
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
Cryptochecksum:xxx
: end
10-30-2007 01:01 PM
David,
For outside to inside connection you need a couple of things - static and ACL.
Here's a sample configuration that would give you an idea.
Let's say you have the following setup. If you want to ping the inside host from outside then the configuration below would make it work.
Inside PC - 172.30.4.50
Outside PC - 209.16.115.2
static (inside,outside) 172.30.4.50 172.30.4.50
access-list acl_outside permit icmp host 209.16.115.2 host 172.30.4.50
access-group acl_outside in interface outside
In this example the static is doing no-nat of inside address but you can use a global address for the inside host if you desire so.
HTH
Sundar
10-31-2007 05:30 AM
Sundar,
It seems to me that you are creating an explicit ACL to allow the outside PC access through to the inside. What I want is any PC that gets a new IP address from the vpnpool to be able to ping the inside.
Is your way the only way to do this, because it seems to bypass the vpn.
11-01-2007 09:33 AM
Hi,
After you connect the VPN Client and try to ping an IP Address on the inside, do you see counters increasing under Packets TX and RX on the client side. If you see only TX getting increased, can you do a "show crypto ipsec sa" and look for packets Encrypts and Decrypts.
Also, do a clear xlate on the Pix and try pinging again.
I hope it helps.
Regards,
Arul
11-02-2007 08:46 PM
crypto map mymap 10 set reverse-route to allow your routing to work correctly for this tunnel back to your client. And if you want to access the internet given you do not want split tunnel and you have DNS servers specified under your group accross this VPN tunnel you should specify your config like this.
nat (outside) 1 172.30.8.0 255.255.255.0
global (outside) 1 int
HTH
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide