09-28-2012 03:19 PM - edited 03-11-2019 05:01 PM
Hi,
i just installed a pix515e ( ios ver 6.2) in my network. and the vpn users can connect to it from the internet successfully but they aren't able to connect to any of the internal resources. some other informaion: i configured nating between the internal network (10.0.0.0/24) and the internet and another static nat policy between an internal resource through another public ip address on outside interface. but right now i need to let the vpn clients to connect to my internal resources.
thanks
Solved! Go to Solution.
09-28-2012 06:23 PM
You would need to configure NAT exemption for the VPN subnet as follows:
Eg:
vpn pool is 192.168.12.0/24
internal subnet is 10.0.0.0/24
access-list nonat permit ip 10.0.0.0 255.255.255.0 192.168.12.0 255.255.255.0
nat (inside) 0 access-list nonat
Then "clear xlate" after the above changes. The VPN Client should have access to the internal networks.
If it doesn't, pls kindly share your config.
09-28-2012 06:23 PM
You would need to configure NAT exemption for the VPN subnet as follows:
Eg:
vpn pool is 192.168.12.0/24
internal subnet is 10.0.0.0/24
access-list nonat permit ip 10.0.0.0 255.255.255.0 192.168.12.0 255.255.255.0
nat (inside) 0 access-list nonat
Then "clear xlate" after the above changes. The VPN Client should have access to the internal networks.
If it doesn't, pls kindly share your config.
09-29-2012 08:14 AM
Hi Jennifer,
thanks for your reply. i've tried what you said with more than one nating method and also i tried NAT exemption as you told me above but unfortunately i'm not able to connect to my intenal resources.below you'll find my running-config to take a look at it. so kindly read it and let me know please if you have any solution. thanks again.
Building configuration...
: Saved
:
PIX Version 6.2(4)
nameif ethernet0 inside security100
nameif ethernet1 outside security0
names
name 10.0.0.0 Internal_Network
name 192.168.1.0 VPN_Clients
name 0.0.0.0 any_net
name 10.0.0.x DVR
access-list inside_access_in permit ip any host x.x.x.x
access-list outside_access_in permit ip Internal_Network 255.255.255.0 any
access-list lenda_vpn_splitTunnelAcl permit ip Internal_Network 255.255.255.0 any
access-list splitTunnelAcl permit ip Internal_Network 255.255.255.0 any
access-list nonat permit ip Internal_Network 255.255.255.0 VPN_Clients 255.255.255.0
access-list outside_cryptomap_dyn_20 permit ip any VPN_Clients 255.255.255.0
pager lines 24
interface ethernet0 auto
interface ethernet1 auto
ip address inside x.x.x.x x.x.x.x
ip address outside x.x.x.x x.x.x.x
ip audit info action alarm
ip audit attack action alarm
ip local pool Cisco_VPN_192 192.168.1.1-192.168.1.50
ip local pool PPTP_51_100 192.168.1.51-192.168.1.100
ip local pool L2TP_101_150 192.168.1.101-192.168.1.150
pdm location any_net 255.255.255.255 outside
pdm location any_net 255.255.255.255 inside
pdm location VPN_Clients 255.255.255.0 outside
pdm location DVR 255.255.255.255 inside
pdm location VPN_Clients 255.255.255.128 outside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 Internal_Network 255.255.255.0 dns 0 0
static (inside,outside) 207.x.x.x DVR netmask 255.255.255.255 0 0
access-group outside_access_in in interface inside
access-group inside_access_in in interface outside
route outside any_net any_net 207.x.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt connection permit-l2tp
no sysopt route dnat
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set TRANS_ESP_3DES_SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable inside
isakmp enable outside
isakmp key ******** address any_net netmask any_net
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup mycompanyaddress-pool Cisco_VPN_192
vpngroup mycompanydns-server 207.x.x.x 207.x.x.x
vpngroup mycompanysplit-tunnel ezmobile_splitTunnelAcl
vpngroup mycompanyidle-time 1800
vpngroup mycompanypassword ********
vpngroup lenda_vpn address-pool Cisco_VPN_192
vpngroup lenda_vpn dns-server 207.x.x.x 207.x.x.x
vpngroup lenda_vpn split-tunnel lenda_vpn_splitTunnelAcl
vpngroup lenda_vpn idle-time 1800
vpngroup lenda_vpn password ********
vpdn group L2TP_VPN accept dialin l2tp
vpdn group L2TP_VPN ppp authentication chap
vpdn group L2TP_VPN ppp authentication mschap
vpdn group L2TP_VPN client configuration address local L2TP_101_150
vpdn group L2TP_VPN client configuration dns 207.172.x.x 207.172.x.x
vpdn group L2TP_VPN client authentication local
vpdn group L2TP_VPN l2tp tunnel hello 60
vpdn group PPTP-VPDN-GROUP accept dialin pptp
vpdn group PPTP-VPDN-GROUP ppp authentication chap
vpdn group PPTP-VPDN-GROUP ppp authentication mschap
vpdn group PPTP-VPDN-GROUP ppp encryption mppe auto
vpdn group PPTP-VPDN-GROUP client configuration address local PPTP_51_100
vpdn group PPTP-VPDN-GROUP client configuration dns 207.172.x.x 207.172.x.x
vpdn group PPTP-VPDN-GROUP pptp echo 60
vpdn group PPTP-VPDN-GROUP client authentication local
vpdn username **** password *********
vpdn username **** password *********
vpdn username **** password *********
vpdn enable inside
vpdn enable outside
: end
[OK]
09-29-2012 08:15 PM
Pls kindly remove the following:
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
Also, is your VPN connection passing through any NAT device? if it is, then ESP as part of the IPSec protocols can't pass through NAT device normally, and only from version 6.3 onwards you can enable NAT-T which encapsulate ESP into UDP/4500.
09-30-2012 10:29 AM
Hi Jennifer,
actually i've tried yesterday the vpn connection with cisco client vpn software and i was able successfully
to reach my internal resources. but when i try microsoft vpn connection from windows pc it does connect successfully but i can't reach the internal resources. actually i need both types of vpn connections because not all clients will use cisco vpn software.
thanks and i look forward to your reply.
Labib
10-03-2012 05:34 AM
Microsoft client should also be able to reach your internal resources, if you are able to connect with cisco vpn client.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: