05-26-2008 05:15 PM - edited 03-11-2019 05:50 AM
Got a PIX 506E configured for VPN Client Access.
VPN Client connects however cannot ping anything on the LAN.
Confirmed config with other Cisco Docs and is okay.
Please help
05-26-2008 05:37 PM
Does your config have NAT-T enabled? if not please enable it and try, if no joy please post sanitized pix config, it could be your acl no allowing VPN pool network access to your inside network.
PIX(config)#isakmp nat-traversal 20
Rgds
-Jorge
05-26-2008 05:55 PM
Yes, tried that and still not working:
Config below:
access-list vpn permit ip host 10.32.1.1 192.168.10.0 255.255.255.0
access-list split_vpn ip host 10.32.1.1 192.168.10.0 255.255.255.0
ip local pool vpnpool 192.168.10.0 mask 255.255.255.0
crypto ipsec transform-set espvpn esp-des esp-md5-hmac
crypto dynamic-map money 10 set transform-set espvpn
crypto map pixnet 10 ipsec-isakmp dynamic money
crypto map pixnet client configuration address initiate
crypto map pixnet client authentication LOCAL
crypto map pixnet interface outside
isakmp nat-traversal 20
vpngroup vpnclient address-pool vpnpool
vpngroup vpnclient dns-server 10.32.1.1
vpngroup vpnclient split-tunnel split_vpn
vpngroup vpnclient idle-time 1800
vpngroup vpnclient password *******
05-26-2008 06:16 PM
Any nat statements?
I would add bellow statement, please try and let me know.
nat(inside) 0 access-list vpn
05-26-2008 06:23 PM
yes, forgot to include that in config earlier.
05-26-2008 06:53 PM
One statement I have noticed your vpn pool range, you would normally configure a range .
ip local pool vpnpool 192.168.10.0 mask 255.255.255.0
I do not think a connected host would get an IP from the pool, when client connect can you issue " show ip local pool" to confirm and address has been porvided by your current vpn pool.
Normally would would configure a range in this syntax.
ip local pool vpnpool 192.168.10.xx-192.168.10.xx
Enabling NAT-T should have resolved it, but wander if your vpn pool is your issue.
05-26-2008 07:04 PM
Thanks for noticing,
yeah, it assigns an IP Address, i've changed that to 192.168.10.1 - 192.168.10.20 and it assigns an IP Address however still unable to ping
05-26-2008 07:35 PM
The host you are trying to ping 10.32.1.1 does it responds to pings from internal LAN.
Note that this is the only host permited in your acl.
05-26-2008 07:46 PM
yes it does
05-26-2008 09:57 PM
Hi Jorge, nice new badge m8 :)
Ralema, can you please attach your full sanitized config?
05-27-2008 02:31 PM
05-27-2008 02:31 PM
once you have it, download and delete
05-27-2008 02:52 PM
dude,
I suggest next time you uploade your config, remove any passwords / public IP's.
francisco.
05-28-2008 01:51 AM
Ralema,
Please do below modifications
no vpngroup pixnet split-tunnel 110
vpngroup pixnet split-tunnel 120
fixup protocol icmp
Also I see a statement with "tcp" in your ACL 110 which is your exempt nat ACL. It is not recommended to use port statements in network ACLs for firewall devices, like split tunnels, NATs that it would impact the L3 processing of firewall that it will also have to process the port portion of packets during rouitng.
Also you know that you ve permit your VPN clients to be able to establish connection with only 172.16.1.3 and 172.16.1.20 , so try pinging them. Also make sure no software firewall is enabled, If enabled, modify the exceptions according to that (Windows firewall exceptions by default permit traffic from same subnet! That will drop VPN client connections)
Regards
05-28-2008 05:52 AM
Huseyin good to hear from you friend!!
Ralema, do as Huseyin suggested you'll be running in no time.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide