i have a pix 525 and am trying to setup remote access to it. i can connect but i can't ping any ips on the lan...at all. in fact the only thing it does is connect and get an ip. below is the config. i have added in a crypto isakmp nat-traversal 30 to it that is not shown.
: Written by enable_15 at 06:25:46.787 UTC Fri Oct 18 2013
PIX Version 8.0(4)
enable password * encrypted
passwd * encrypted
ip address dhcp setroute
ip address 10.1.1.1 255.0.0.0
no ip address
no ip address
no ip address
no ip address
ftp mode passive
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
object-group icmp-type ICMPObject
access-list outside_access_in extended permit icmp any any object-group ICMPObject
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
ip local pool ThcIPPool 10.1.1.40-10.1.1.49
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 101 interface
nat (inside) 101 10.0.0.0 255.0.0.0
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 10.0.0.0 255.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set THCTransformSet esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map THCDynamicMap 1 set transform-set THCTransformSet
crypto dynamic-map THCDynamicMap 1 set security-association lifetime seconds 288
crypto dynamic-map THCDynamicMap 1 set security-association lifetime kilobytes 4
crypto dynamic-map THCDynamicMap 1 set reverse-route
crypto map THCCryptoMap 1 ipsec-isakmp dynamic THCDynamicMap
crypto map THCCryptoMap interface outside
crypto isakmp enable outside
crypto isakmp policy 1
crypto isakmp policy 65535
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username [username] password [password] encrypted
tunnel-group THCVpnGroup type remote-access
tunnel-group THCVpnGroup general-attributes
tunnel-group THCVpnGroup ipsec-attributes
policy-map type inspect dns preset_dns_map
message-length maximum 512
inspect dns preset_dns_map
inspect h323 h225
inspect h323 ras
service-policy global_policy global
prompt hostname context
Solved! Go to Solution.
woops. i see. you can only specify it one time. that is silly. i guess i will have to make the modification and clump it under one acl.
Yes, you build the NAT0 rules that you need on a single ACL for a specific interface. If you had a DMZ interface that interface would have its own "nat" command and "access-list" for it.
But I am not sure if its really a problem since you can use the ACL to control the NAT0 behaviour. In the newer softwares you would not even be using ACLs to do NAT0.
I am not sure how you would be able to contact internal hosts with DNS names if you are using an external DNS server only? You would have to have configurations on the clients host file?
Remember to mark a reply as the correct answer if it answered your question.
Feel free to ask more if needed though.
internal hosts can ping ip and host name of all inside hosts.
outside hosts can only ping by ip.
that is the part which does not make sense.
As I said, I am not sure how your VPN Client could possibly be told by a public DNS server a name of a server/host on your internal network?
If your internal hosts are not using some internal DNS server then it must be related to the Windows network configurations that they are able to connect by name. But external DNS server wont be able to tell you the IP address of your internal servers on the basis of their name. They simply dont have that information.
I am not that familiar with the specifics of Windows host networks but to my understanding they either work by broadcast traffic or with configured name servers on the hosts. If your internal networks name based communication is based on the broadcast communication then that naturally wont work through the VPN connection as the broadcasts stop at the first L3 hop in the network.
So either use some internal name server to reach the hosts, host file on the VPN Client computer OR connect with IP address.