cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
610
Views
0
Helpful
5
Replies

Pix 515E route outside Broke?

bmahaffey
Level 1
Level 1

I have setup a pix in my lab before i go live with it.

I setup the outside route and the nat and it worked fine from clients on the inside accessing the internet. But when i configure the VPN and SSH connections im not routing outside from the client. Cant even ping out from the client. No problems pinging out from the Pix. I know its one little adjust i did but my brain is froze.

PIX Version 6.3(4)

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto shutdown

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 intf2 security4

enable password xxxx

passwd xxxx

hostname bb-pix

domain-name bbking.com

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

pager lines 24

mtu outside 1500

mtu inside 1500

mtu intf2 1500

ip address outside 192.168.1.111 255.255.255.0

ip address inside 172.16.1.20 255.255.248.0

no ip address intf2

ip audit info action alarm

ip audit attack action alarm

ip local pool dealer 172.16.0.200-172.16.0.254

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) 172.16.0.0 172.16.0.0 netmask 255.255.248.0 0 0

conduit permit icmp any any

route outside 0.0.0.0 0.0.0.0 192.168.1.1 0

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set AAADES esp-des esp-md5-hmac

crypto dynamic-map DYNOMAP 10 set transform-set AAADES

crypto map VPNPEER 20 ipsec-isakmp dynamic DYNOMAP

crypto map VPNPEER interface outside

isakmp enable outside

isakmp client configuration address-pool local dealer outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup vpnclient address-pool dealer

vpngroup vpnclient dns-server 172.16.1.3

vpngroup vpnclient wins-server 172.16.1.3

vpngroup vpnclient default-domain bbking.com

vpngroup vpnclient idle-time 1800

vpngroup vpnclient password ********

vpngroup bbking address-pool dealer

vpngroup bbking dns-server 172.16.1.3

vpngroup bbking wins-server 172.16.1.3

vpngroup bbking default-domain bbking.com

vpngroup bbking idle-time 1800

vpngroup bbking password ********

telnet timeout 5

ssh 192.168.1.0 255.255.255.0 outside

ssh 172.16.0.0 255.255.248.0 inside

ssh timeout 30

console timeout 0

username xxx password xxx privilege 15

terminal width 80

Cryptochecksum:xxxx

: end

Thanks for the help

5 Replies 5

pcomeaux
Cisco Employee
Cisco Employee

Hey there -

Sounds like you are running into an issue where traffic arriving on the outside interface of the pix (by VPN client or SSH) is not able to leave the outside of the Pix.

If this is the case, the Pix cannot U-Turn or Hair-pin traffic on the same interface with 6.x versions or earlier.

Version 7.0 will allow this loophole to the security check the Pix does.

Hope this helps. If not, let me know I misunderstood and we can dig deeper from there.

thanks

peter

I don't need to go outbound from VPN Clients. Sorry i must have not been clear enough. :)

Inside Interface 172.16.1.1

Client Behind 172.16.1.2 (not VPN'D client)

When i turn on the VPN settings and SSH settings my client behind interface eth1 can no longer surf the Internet or ping beyond eth1.

Thanks for the reply

Ok. thanks for the straightening out my understanding.

I'd like to start with understanding more what you are trying to do with your NAT configuraion. Looks like you have both statics (no nat) and nat/global configured (nat occurs). Which are you looking to do?

thanks

peter

Here's an example that you might want to review:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009442e.shtml

I would start by doing a couple of things a little differently.

1) I would use a range of addresses for the pool that is not included in my inside address space and either route it from whatever is doing L3 in my LAN environment or let the PIX route it.

2) You are doing a nat and a pass-through(identity nat) for lack of a better term. I'd drop the static (inside,outside) line if it were me. I think dropping the static will fix your immediate issue, but You could run into difficult to troubleshoot issues with the remote and local ends of the vpn being in the same space.

Yes, the Static command was my issue with the outgoing access to the Internet.

Do you guys know of a better config I can use, Im all ears for any advise. Or am I on the right track.

I really do appreicate both of your help.

Review Cisco Networking for a $25 gift card