Re: Cannot get traffic accross PIX VPN - Page 2

mjhagen · ‎03-08-2002

I have setup IPSec on a PIX 515 running 6.1(2) exacly as the documentation states. I can connect to the PIX using VPN Client 3.1 but I am not able to connect to or ping anything on the inside network. Below is my PIX config:

access-list 101 permit ip 171.16.1.0 255.255.255.0 172.16.2.0 255.255.255.0

ip address outside x.x.x.x 255.255.255.128

ip address inside 172.16.1.254 255.255.255.0

ip local pool vpnclients 172.16.2.100-172.16.2.150

global (outside) 1 x.x.x.x

nat (inside) 0 access-list 101

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

nat (dmz) 1 0.0.0.0 0.0.0.0 0 0

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto dynamic-map dynmap 10 set transform-set myset

crypto map mymap 10 ipsec-isakmp dynamic dynmap

crypto map mymap interface outside

isakmp enable outside

isakmp client configuration address-pool local vpnclients outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup vpn3000 address-pool vpnclients

vpngroup vpn3000 split-tunnel 101

vpngroup vpn3000 idle-time 1800

vpngroup vpn3000 password ********

wraights · ‎03-14-2002

Okay...how come I can PING BUT DO NOTHING ELSE? Does that not mean that the VPN connection is up and running, but what else could it be???

I am running Cisco 3.5 VPN client and I can get the connection up but I can do nothing else! I can ping but I cannot telnet or map a drive. It keeps telling me no network path found...

What do I need to do? I don't have WINs server or anything.

I have an access-list that lets tcp and ip go through and it seems to be working (at least slightly) because I can ping, but nothing else works...

Any thoughts?

cjacinto · ‎03-16-2002

If you try to map a drive by using the ip address what does it do?

What connection do you use? Is there an intermediate device doing nat on the client side? Try to disconnect the vpn connection, then do a an ipconfig /release , then

connect the vpn connection again, and then try to map

the ip address again to a drive letter.

Also do you have the nat (inside) 0 statement on your PIX?

wraights · ‎03-18-2002

When I try to map a drive I get the "Network path not found" error.

I use a cable modem with the Cisco 3.5 Unity client on it to connect. The log file shows us connected and we get an IP address and I can ping all the devices on the network but I can't do anything else (telnet, map a drive, etc)

On the network I am VPN'ing to, I have the nat (inside) 0 statement and I also have the access-list in there...let me show you my config:

access-list 101 permit ip 192.168.0.0 255.255.0.0 20.0.0.0 255.255.255.0

ip local pool clientpool 20.0.0.1-20.0.0.254

nat (inside) 0 access-list 101

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

crypto ipsec transform-set strong esp-des esp-md5-hmac

crypto dynamic-map users 11 set transform-set strong

crypto map remote 11 ipsec-isakmp dynamic users

crypto map remote client configuration address initiate

crypto map remote client configuration address respond

crypto map remote interface outside

isakmp enable outside

isakmp key ******** address 0.0.0.0 netmask 0.0.0.0

isakmp identity address

isakmp client configuration address-pool local clientpool outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 1

isakmp policy 10 lifetime 28800

isakmp policy 15 authentication pre-share

isakmp policy 15 encryption des

isakmp policy 15 hash md5

isakmp policy 15 group 2

isakmp policy 15 lifetime 3600

vpngroup xpclient address-pool clientpool

vpngroup xpclient idle-time 1800

vpngroup xpclient password ********

(I only posted the config that I thought would be useful...I can post it all if you want!)

Thanks for your help!