Showing results for 
Search instead for 
Did you mean: 

jeff slansky

no one can seem to help. can you?

i have a pix 525 and am trying to setup remote access to it. i can connect but i can't ping any ips on the all. in fact the only thing it does is connect and get an ip. below is the config. i have added in a crypto isakmp nat-traversal 30 to it that is not shown.

show config
: Saved
: Written by enable_15 at 06:25:46.787 UTC Fri Oct 18 2013
PIX Version 8.0(4)
hostname thcvpn01
enable password * encrypted
passwd * encrypted
interface Ethernet0
nameif outside
security-level 0
ip address dhcp setroute
interface Ethernet1
nameif inside
security-level 100
ip address
interface Ethernet2
no nameif
no security-level
no ip address
interface Ethernet3
no nameif
no security-level
no ip address
interface Ethernet4
no nameif
no security-level
no ip address
interface Ethernet5
no nameif
no security-level
no ip address
ftp mode passive
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
object-group icmp-type ICMPObject
icmp-object echo-reply
icmp-object source-quench
icmp-object time-exceeded
icmp-object unreachable
access-list outside_access_in extended permit icmp any any object-group ICMPObject
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
ip local pool ThcIPPool
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 101 interface
nat (inside) 101
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set THCTransformSet esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map THCDynamicMap 1 set transform-set THCTransformSet
crypto dynamic-map THCDynamicMap 1 set security-association lifetime seconds 288
crypto dynamic-map THCDynamicMap 1 set security-association lifetime kilobytes 4
crypto dynamic-map THCDynamicMap 1 set reverse-route
crypto map THCCryptoMap 1 ipsec-isakmp dynamic THCDynamicMap
crypto map THCCryptoMap interface outside
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 43200
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username [username] password [password] encrypted
tunnel-group THCVpnGroup type remote-access
tunnel-group THCVpnGroup general-attributes
address-pool ThcIPPool
tunnel-group THCVpnGroup ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
service-policy global_policy global
prompt hostname context





woops. i see. you can only specify it one time. that is silly. i guess i will have to make the modification and clump it under one acl.



Yes, you build the NAT0 rules that you need on a single ACL for a specific interface. If you had a DMZ interface that interface would have its own "nat" command and "access-list" for it.

But I am not sure if its really a problem since you can use the ACL to control the NAT0 behaviour. In the newer softwares you would not even be using ACLs to do NAT0.

I am not sure how you would be able to contact internal hosts with DNS names if you are using an external DNS server only? You would have to have configurations on the clients host file?

Remember to mark a reply as the correct answer if it answered your question.

Feel free to ask more if needed though.

- Jouni


internal hosts can ping ip and host name of all inside hosts.

outside hosts can only ping by ip.

that is the part which does not make sense.



As I said, I am not sure how your VPN Client could possibly be told by a public DNS server a name of a server/host on your internal network?

If your internal hosts are not using some internal DNS server then it must be related to the Windows network configurations that they are able to connect by name. But external DNS server wont be able to tell you the IP address of your internal servers on the basis of their name. They simply dont have that information.

I am not that familiar with the specifics of Windows host networks but to my understanding they either work by broadcast traffic or with configured name servers on the hosts. If your internal networks name based communication is based on the broadcast communication then that naturally wont work through the VPN connection as the broadcasts stop at the first L3 hop in the network.

So either use some internal name server to reach the hosts, host file on the VPN Client computer OR connect with IP address.

- Jouni

Content for Community-Ad