Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
487
Views
0
Helpful
3
Replies

a problem about pix dmz and vpn

jj-zhou
Level 1
Level 1

‎12-12-2006 09:56 PM

Hi netpro:

I have some trouble when I config a pix515 for vpn client. the vpn client can establish with pix and it get a address from pix pool ,but the client can't ping the hosts in the dmz and pix's dmz interface.

the config :

vpn# sh run

: Saved

:

PIX Version 6.3(4)

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto

interface ethernet3 auto shutdown

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 dmz security90

nameif ethernet3 intf3 security6

enable password xxx

passwd xxx

hostname vpn

domain-name comac.com

access-list 120 permit host 23.x.x.43

access-list 120 permit host 23.x.x.2

access-list acl_dmz permit tcp any any eq telnet

access-list acl_dmz permit icmp any any

access-list 102 permit ip 211.x.x.0 255.255.255.128 192.168.1.0 255.255.255.0

pager lines 24

logging console emergencies

logging monitor emergencies

logging buffered emergencies

mtu outside 1500

mtu inside 1500

mtu dmz 1500

mtu intf3 1500

ip address outside 211.x.x.2xx 255.255.255.248

ip address inside 23.1.x.x.255.248.0

ip address dmz 211.99.71.1xx 255.255.255.128

no ip address intf3

ip verify reverse-path interface dmz

ip audit info action alarm

ip audit attack action alarm

ip local pool vpnpool 192.168.1.0-192.168.1.100 mask 255.255.255.0

no failover

failover timeout 0:00:00

failover poll 15

no failover ip address outside

no failover ip address inside

no failover ip address dmz

no failover ip address intf3

pdm history enable

arp timeout 14400

global (outside) 1 211.99.71.2xx

nat (inside) 1 23.1.161.2 255.255.255.255 0 0

nat (inside) 1 23.1.164.67 255.255.255.255 0 0

nat (inside) 1 23.1.x.x.255.255.255 0 0

nat (inside) 1 23.1.x.x.255.255.255 0 0

nat (dmz) 0 access-list 102

access-group acl_dmz in interface dmz

conduit permit icmp any any

route outside 0.0.0.0 0.0.x.x.99.71.254 1

route dmz 23.1.0.x.x.0.0 211.99.71.126 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

sysopt ipsec pl-compatible

crypto ipsec transform-set comacset esp-des esp-md5-hmac

crypto dynamic-map dynmap 10 set transform-set comacset

crypto map vpnmap 10 ipsec-isakmp dynamic dynmap

crypto map vpnmap client configuration address initiate

crypto map vpnmap client configuration address respond

crypto map vpnmap client authentication LOCAL

crypto map vpnmap interface outside

isakmp enable outside

isakmp key ******** address 0.0.0.0 netmask 0.0.0.0

isakmp identity address

isakmp client configuration address-pool local vpnpool outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup mobilevpn address-pool vpnpool

vpngroup mobilevpn dns-server 23.1.160.144

vpngroup mobilevpn idle-time 900

vpngroup mobilevpn password ********

telnet 23.1.x.x.255.255.255 inside

telnet 23.1.x.x.255.255.255 inside

telnet timeout 5

ssh timeout 5

console timeout 0

Labels:
0 Helpful
3 Replies 3

Vikas Saxena
Cisco Employee
Cisco Employee

‎12-15-2006 04:11 AM

Hello,

No wonder you are not able to ping the dmz int from the VPN client. You do not have man dmz commnd in the PIX.

man or management-access command makes an interface accessible for the VPN client Or ipsec tunnel for telnet,snmp etc. without this the interface is never pingable because the traffic is coming from the outside.

It looks like the inside network does not have a router to 192.168.1.0/24 back to the dmz int.

You have mixed and matched the configuration of VPN client with Cisco Secure VPN client (old) with Cisco VPN 3000 Client (new). If you have downloaded the vpn client recently then it has to be Cisco VPN 3000 client.

Please clean the configuration

Sysopt pl-compatible is a dangerous command for IPSEC to be in the configuration. It is for older pix os rather newer 6.3.x it will make the natting part and ASA features of the PIX os useless for the IPSEC traffic. You do not need that.

Also you do not need

crypto map vpnmap client configuration address initiate

crypto map vpnmap client configuration address respond

isakmp key ******** address 0.0.0.0 netmask 0.0.0.0

This is for older VPN clients.

The isa key * address 0 netmask 0 is also used for dynamic to static IPSEC L2L tunnels but i do not see any Dynamic L2L tunnels in the configuration as well.

Please clean the configuration.

In summary:

You would need man dmz to ping the dmz int.

You would need a route in the network for 192.168.1.0 pointing to dmz int of the pix to talk to the clients.

Always remove the passwords from the configuration before posting.

Regards

Vikas

0 Helpful

jj-zhou
Level 1
Level 1
In response to Vikas Saxena

‎12-20-2006 03:32 AM

Hi Vikas, thank your help , I resolved the probelm .

0 Helpful

Vikas Saxena
Cisco Employee
Cisco Employee
In response to jj-zhou

‎12-20-2006 04:34 AM

Hello,

How did you solve it?

Regards

Vikas

0 Helpful
Customers Also Viewed These Support Documents