03-04-2005 02:46 PM - edited 02-20-2020 11:59 PM
I have setup a pix in my lab before i go live with it.
I setup the outside route and the nat and it worked fine from clients on the inside accessing the internet. But when i configure the VPN and SSH connections im not routing outside from the client. Cant even ping out from the client. No problems pinging out from the Pix. I know its one little adjust i did but my brain is froze.
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
enable password xxxx
passwd xxxx
hostname bb-pix
domain-name bbking.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
pager lines 24
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside 192.168.1.111 255.255.255.0
ip address inside 172.16.1.20 255.255.248.0
no ip address intf2
ip audit info action alarm
ip audit attack action alarm
ip local pool dealer 172.16.0.200-172.16.0.254
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 172.16.0.0 172.16.0.0 netmask 255.255.248.0 0 0
conduit permit icmp any any
route outside 0.0.0.0 0.0.0.0 192.168.1.1 0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set AAADES esp-des esp-md5-hmac
crypto dynamic-map DYNOMAP 10 set transform-set AAADES
crypto map VPNPEER 20 ipsec-isakmp dynamic DYNOMAP
crypto map VPNPEER interface outside
isakmp enable outside
isakmp client configuration address-pool local dealer outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup vpnclient address-pool dealer
vpngroup vpnclient dns-server 172.16.1.3
vpngroup vpnclient wins-server 172.16.1.3
vpngroup vpnclient default-domain bbking.com
vpngroup vpnclient idle-time 1800
vpngroup vpnclient password ********
vpngroup bbking address-pool dealer
vpngroup bbking dns-server 172.16.1.3
vpngroup bbking wins-server 172.16.1.3
vpngroup bbking default-domain bbking.com
vpngroup bbking idle-time 1800
vpngroup bbking password ********
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 outside
ssh 172.16.0.0 255.255.248.0 inside
ssh timeout 30
console timeout 0
username xxx password xxx privilege 15
terminal width 80
Cryptochecksum:xxxx
: end
Thanks for the help
03-04-2005 04:04 PM
Hey there -
Sounds like you are running into an issue where traffic arriving on the outside interface of the pix (by VPN client or SSH) is not able to leave the outside of the Pix.
If this is the case, the Pix cannot U-Turn or Hair-pin traffic on the same interface with 6.x versions or earlier.
Version 7.0 will allow this loophole to the security check the Pix does.
Hope this helps. If not, let me know I misunderstood and we can dig deeper from there.
thanks
peter
03-04-2005 04:33 PM
I don't need to go outbound from VPN Clients. Sorry i must have not been clear enough. :)
Inside Interface 172.16.1.1
Client Behind 172.16.1.2 (not VPN'D client)
When i turn on the VPN settings and SSH settings my client behind interface eth1 can no longer surf the Internet or ping beyond eth1.
Thanks for the reply
03-06-2005 05:17 PM
Ok. thanks for the straightening out my understanding.
I'd like to start with understanding more what you are trying to do with your NAT configuraion. Looks like you have both statics (no nat) and nat/global configured (nat occurs). Which are you looking to do?
thanks
peter
Here's an example that you might want to review:
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009442e.shtml
03-06-2005 05:48 PM
I would start by doing a couple of things a little differently.
1) I would use a range of addresses for the pool that is not included in my inside address space and either route it from whatever is doing L3 in my LAN environment or let the PIX route it.
2) You are doing a nat and a pass-through(identity nat) for lack of a better term. I'd drop the static (inside,outside) line if it were me. I think dropping the static will fix your immediate issue, but You could run into difficult to troubleshoot issues with the remote and local ends of the vpn being in the same space.
03-07-2005 09:03 AM
Yes, the Static command was my issue with the outgoing access to the Internet.
Do you guys know of a better config I can use, Im all ears for any advise. Or am I on the right track.
I really do appreicate both of your help.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide