cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7744
Views
0
Helpful
45
Replies

Client connected to remote access VPN but got wrong default gateway

robert.huang
Level 1
Level 1

Hi All,

 

I have been struggling for some days and really need some help here. My PC (192.168.254.x) is on the same vlan with outside interface (192.168.254.171) of my PIX506E. When I launch the Cisco VPN client, my PC shows connected and gets the IP of 10.9.0.150 which is expected. However, it also gets the gateway of 10.9.0.1 which I have no idea where it comes from. Thus my PC can't access any internal  network or external network.

 

I've listed my configuration below and highlighted the part that I typed in. PIX version 7.1(2) is the highest version I can install on PIX506E. Please help. Thanks a lot.

 

pixfirewall# sh run
: Saved
:
PIX Version 7.1(2)
!
hostname pixfirewall
enable password 2KFQnbNIdI.2KYOU encrypted

names
!
interface Ethernet0
 nameif outside
 security-level 0
 ip address 192.168.254.171 255.255.255.0
!
interface Ethernet1
 nameif inside
 security-level 100
 ip address 10.10.10.1 255.255.255.0
!
passwd 2KFQnbNIdI.2KYOU encrypted

boot system flash:/pix712.bin
ftp mode passive
pager lines 24
logging enable
logging timestamp
logging buffered informational
mtu outside 1500
mtu inside 1500
ip local pool ROBERT-POOL 10.9.0.150-10.9.0.160 mask 255.255.255.0
no asdm history enable
arp timeout 14400
route outside 0.0.0.0 0.0.0.0 192.168.254.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy Robert-GP internal
group-policy Robert-GP attributes
 dns-server value 8.8.8.8
username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15
username robert password yXUoa8oHzS0Ncp2O encrypted
username robert attributes
 vpn-group-policy Robert-GP

aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set MYSET esp-3des esp-md5-hmac
crypto dynamic-map DYN1 1 set transform-set MYSET
crypto dynamic-map DYN1 1 set reverse-route
crypto map MYMAP 1 ipsec-isakmp dynamic DYN1
crypto map MYMAP interface outside
isakmp enable outside
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash sha
isakmp policy 1 group 2
isakmp policy 1 lifetime 43200
isakmp nat-traversal  30
tunnel-group ROBERT-GROUP type ipsec-ra
tunnel-group ROBERT-GROUP general-attributes
 address-pool ROBERT-POOL
 default-group-policy Robert-GP
tunnel-group ROBERT-GROUP ipsec-attributes
 pre-shared-key *

telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
ssh version 2
console timeout 0
ssl encryption rc4-md5
Cryptochecksum:7157c6095f2abae2aae9e15c1caa81aa
: end
pixfirewall#

1 Accepted Solution

Accepted Solutions

did you disconnect from the vpn session after adding the new ACL to outside interface and try it again ?

 

disconnect from vpn session and try again and if does not work apply this line.

 

same-security-traffic permit intra-interface

 

show crytop ipsec sa.

Please post this output.

thanks

 

 

View solution in original post

45 Replies 45

rizwanr74
Level 7
Level 7

Hi Robert,

You are missing nat exemption.

 

Copy these two lines, will fix your problem.


access-list nat0 extended permit ip 10.10.10.0 255.255.255.0 10.9.0.0 255.255.255.0


nat (inside) 0 access-list nat0

 

 

Thanks

Rizwan Rafeek

Thank you Rizwan for your reply.

 

I added the nat statement but still got the same result. Please see the ifconfig/all output of my PC below.

 

Ethernet adapter Local Area Connection 2:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Cisco Systems VPN Adapter for 64-bit Windows
   Physical Address. . . . . . . . . : 00-05-9A-3C-78-00
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::919c:fda:e42e:f9b9%24(Preferred)
   IPv4 Address. . . . . . . . . . . : 10.9.0.150(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 10.9.0.1
   DNS Servers . . . . . . . . . . . : 8.8.8.8
   NetBIOS over Tcpip. . . . . . . . : Enabled

Are you able to ping inside the network ?

No, I'm not.

The only IP I can ping is the outside interface of the PIX 192.168.254.171. I cann't ping the inside interface 10.10.10.1.

Ok, please remove this line.

 

no crypto dynamic-map DYN1 1 set reverse-route

 

and try it let me know.

 

thanks

 

Removed "crypto dynamic-map DYN1 1 set reverse-route". Still got the same thing. My PC keeps getting the default gateway of 10.9.0.1. It's driving me nuts. Where does it come from?

 

I've attached the latest running-config, screenshots of Cisco VPN client and ipconfig of my pc.

I wouldn't worry too much about the default-gateway address, it may well be due to old version setup style but it is still does not answer the question, why you couldn't access inside the network.

I notice, there is missing global policy on your firewall.

 

Below is default inspect policy is found Cisco firewall, which I don't see it on your Firewall configuration?

- - - - - - - - - - - - - - - - - - - - - - - - -

class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect netbios 
  inspect rsh 
  inspect rtsp 
  inspect skinny  
  inspect esmtp 
  inspect sqlnet 
  inspect sunrpc 
  inspect tftp 
  inspect sip  
  inspect xdmcp 
  inspect http 
  inspect icmp

service-policy global_policy global

- - - - - - - - - - - - - - - - - - - - - - - - - 

Rizwan, Thank you again for your reply.

I don't know why that global policy is missing. I've added them and still I can't ping inside interface or default gateway. I can only ping outside interface.

I've attached the latest show ver and show run. I am wondering if you can remote ssh to my PIX  to take a look and also try easy VPN from your end. I can give your full access. Thank you very much!

Robert Huang

Ping you ping a host IP address inside the network (not the inside interface itself), a host IP address instead?

When you established a remote-in vpn session with your PIX, please issue show command and post your the show output.

show crypto is isakmp sa

show crypto ipsec sa

 

 

Once my VPN gets connected,

1.My PC 10.9.0.150 can't ping the internal IP of 10.10.10.10 and vice versa.

2.My Firewall can ping 10.9.0.150.

I've listed all the information below.

pixfirewall# sh ip             
System IP Addresses:
Interface                Name                   IP address      Subnet mask     Method
Ethernet0                outside                192.168.254.171 255.255.255.0   CONFIG
Ethernet1                inside                 10.10.10.1      255.255.255.0   manual
Current IP Addresses:
Interface                Name                   IP address      Subnet mask     Method
Ethernet0                outside                192.168.254.171 255.255.255.0   CONFIG
Ethernet1                inside                 10.10.10.1      255.255.255.0   manual
pixfirewall# ping 10.10.10.10  
Sending 5, 100-byte ICMP Echos to 10.10.10.10, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
pixfirewall#
pixfirewall# sh crypto isakmp sa

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 192.168.254.111
    Type    : user            Role    : responder
    Rekey   : no              State   : AM_ACTIVE
pixfirewall#
pixfirewall# sh crypto ipsec sa
interface: outside
    Crypto map tag: DYN1, seq num: 1, local addr: 192.168.254.171

      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      remote ident (addr/mask/prot/port): (10.9.0.150/255.255.255.255/0/0)
      current_peer: 192.168.254.111, username: robert
      dynamic allocated peer ip: 10.9.0.150

      #pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5
      #pkts decaps: 74, #pkts decrypt: 74, #pkts verify: 74
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 5, #pkts comp failed: 0, #pkts decomp failed: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 192.168.254.171, remote crypto endpt.: 192.168.254.111

      path mtu 1500, ipsec overhead 60, media mtu 1500
      current outbound spi: E7BD277C

    inbound esp sas:
      spi: 0xAFA26657 (2946655831)
         transform: esp-3des esp-md5-hmac
         in use settings ={RA, Tunnel, }
         slot: 0, conn_id: 1, crypto-map: DYN1
         sa timing: remaining key lifetime (sec): 28548
         IV size: 8 bytes
         replay detection support: Y
    outbound esp sas:
      spi: 0xE7BD277C (3887933308)
         transform: esp-3des esp-md5-hmac
         in use settings ={RA, Tunnel, }
         slot: 0, conn_id: 1, crypto-map: DYN1
         sa timing: remaining key lifetime (sec): 28547
         IV size: 8 bytes
         replay detection support: Y

pixfirewall# ping 10.9.0.150   
Sending 5, 100-byte ICMP Echos to 10.9.0.150, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/6/20 ms

Check the device itself at 10.10.10.10, whether Windows firewall is enabled and make sure that device it has a proper gateway address is point back to firewall's inside address.

As far as your remote-access vpn is concerned I see traffic is flowing just fine.

- - - - - - - - - - - - - - - - - - - - - - - - - - - 

#pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5

 #pkts decaps: 74, #pkts decrypt: 74, #pkts verify: 74

- - - - - - - - - - - - - - - - - - - - - - - - - - - 

Thanks

Rizwan Rafeek

Hi Rizwan,

You're right. Device 10.10.10.10 has a wrong gateway. Once I set the gateway to 10.10.10.1, my VPN client (original IP 192.168.254.111, VPN IP 10.9.0.151) can successfully access the inside network 10.10.10.0/24.

However, my VPN client still cannot access any outside network. For instance, it cann't ping the firewall default gateway 192.168.254.1. I didn't capture any packet on the FW outside interface when 10.9.0.151 was trying to ping/telnet 192.168.254.1 and 8.8.8.8.

The main purpose I set up the easyVPN is to provide VPN service for my friends in other country which has a very strict Internet policy. The PPTP/L2TP/OpenVPN are blocked there. So they don't need to access my internal network, they do need access to all public websites like youtube, facebook.

I listed the routing table below when the easyVPN is established. Please help again. Thank you very much!

pixfirewall# sh route

S    0.0.0.0 0.0.0.0 [1/0] via 192.168.254.1, outside
S    10.9.0.151 255.255.255.255 [1/0] via 192.168.254.111, outside
C    10.10.10.0 255.255.255.0 is directly connected, inside
C    192.168.254.0 255.255.255.0 is directly connected, outside
pixfirewall#


If remote-in vpn-clients need access to Internet, then you just need this line.

global (outside) 1 interface
nat (outside) 1 10.9.0.0 255.255.255.0

 

If remote-in vpn-clients need access to subnets residing outside the your pix, then you would need a nat exemption like below.
 
access-list nat0-out extended permit ip 10.9.0.0 255.255.255.0 192.168.254.0 255.255.255.0 
nat (outside) 0 access-list nat0-out outside

 

Hope that answers your question.

Thanks

Hi Rizwan,

I followed your instruction but I still couldn't access both outside subnet and internet. See below.

pixfirewall# sh run access-list
access-list nat0 extended permit ip 10.10.10.0 255.255.255.0 10.9.0.0 255.255.255.0
access-list nat0-out extended permit ip 10.9.0.0 255.255.255.0 192.168.254.0 255.255.255.0
pixfirewall#
pixfirewall# sh run nat
nat (outside) 0 access-list nat0-out
nat (outside) 1 10.9.0.0 255.255.255.0
nat (inside) 0 access-list nat0
pixfirewall#
pixfirewall# sh run global
global (outside) 1 interface
pixfirewall#

I got a warning when I typed in the nat statement.
pixfirewall(config)# nat (outside) 1 10.9.0.0 255.255.255.0
WARNING: Binding inside nat statement to outermost interface.
WARNING: Keyword "outside" is probably missing
.
pixfirewall(config)#

 

show log when VPN client 10.9.0.151 trying to ping 8.8.8.8
8:42:38: %PIX-5-713120: Group = ROBERT-GROUP, Username = robert, IP = 192.168.254.111, PHASE 2 COMPLETED (msgid=90e630f0)
Jan 07 1993 08:42:39: %PIX-6-305011: Built dynamic UDP translation from outside:10.9.0.151/137 to outside:192.168.254.171/9
Jan 07 1993 08:42:39: %PIX-3-305005: No translation group found for udp src outside:10.9.0.151/137 dst outside:10.9.0.255/137
Jan 07 1993 08:42:41: %PIX-6-110001: No route to 239.255.255.250 from 10.9.0.151
Jan 07 1993 08:42:46: %PIX-3-305005: No translation group found for udp src outside:10.9.0.151/137 dst outside:10.9.0.255/137
Jan 07 1993 08:42:47: %PIX-6-305011: Built dynamic UDP translation from outside:10.9.0.151/138 to outside:192.168.254.171/10
Jan 07 1993 08:42:47: %PIX-3-305005: No translation group found for udp src outside:10.9.0.151/138 dst outside:10.9.0.255/138
Jan 07 1993 08:42:47: %PIX-6-305011: Built dynamic ICMP translation from outside:10.9.0.151/1536 to outside:192.168.254.171/5
Jan 07 1993 08:42:47: %PIX-6-302021: Teardown ICMP connection for faddr 10.9.0.151/1536 gaddr 8.8.8.8/0 laddr 8.8.8.8/0
Jan 07 1993 08:42:52: %PIX-3-305005: No translation group found for udp src outside:10.9.0.151/138 dst outside:10.9.0.255/138
Jan 07 1993 08:42:52: %PIX-5-713050: Group = ROBERT-GROUP, Username = robert, IP = 192.168.254.111, Connection terminated for peer robert.  Reason: Peer Terminate  Remote Proxy 10.9.0.151, Local Proxy 0.0.0.0
Jan 07 1993 08:42:52: %PIX-4-113019: Group = ROBERT-GROUP, Username = robert, IP = 192.168.254.111, Session disconnected. Session Type: IPSec, Duration: 0h:00m:14s, Bytes xmt: 0, Bytes rcv: 2855, Reason: User Requested
Jan 07 1993 08:42:52: %PIX-6-602304: IPSEC: An inbound remote access SA (SPI= 0x8CF8662C) between 192.168.254.171 and 192.168.254.111 (user= robert) has been deleted.
Jan 07 1993 08:42:52: %PIX-6-602304: IPSEC: An outbound remote access SA (SPI= 0x1230E6AB) between 192.168.254.171 and 192.168.254.111 (user= robert) has been deleted.
Jan 07 1993 08:42:52: %PIX-5-713904: IP = 192.168.254.111, Received encrypted packet with no matching SA, dropping

Latest running-config is showing below.
pixfirewall# sh run
: Saved
:
PIX Version 7.1(2)
!
hostname pixfirewall
enable password 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0
 nameif outside
 security-level 0
 ip address 192.168.254.171 255.255.255.0
!
interface Ethernet1
 nameif inside
 security-level 100
 ip address 10.10.10.1 255.255.255.0
!
passwd 2KFQnbNIdI.2KYOU encrypted
boot system flash:/pix712.bin
ftp mode passive
access-list nat0 extended permit ip 10.10.10.0 255.255.255.0 10.9.0.0 255.255.255.0
access-list nat0-out extended permit ip 10.9.0.0 255.255.255.0 192.168.254.0 255.255.255.0
pager lines 24
logging enable
logging timestamp
logging buffered informational
mtu outside 1500
mtu inside 1500
ip local pool ROBERT-POOL 10.9.0.150-10.9.0.160 mask 255.255.255.0
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (outside) 0 access-list nat0-out
nat (outside) 1 10.9.0.0 255.255.255.0
nat (inside) 0 access-list nat0
route outside 0.0.0.0 0.0.0.0 192.168.254.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy Robert-GP internal
group-policy Robert-GP attributes
 dns-server value 8.8.8.8
 vpn-tunnel-protocol IPSec
username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15
username robert password yXUoa8oHzS0Ncp2O encrypted
username robert attributes
 vpn-group-policy Robert-GP
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set MYSET esp-3des esp-md5-hmac
crypto dynamic-map DYN1 1 set transform-set MYSET
crypto map MYMAP 1 ipsec-isakmp dynamic DYN1
crypto map MYMAP interface outside
isakmp enable outside
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash sha
isakmp policy 1 group 2
isakmp policy 1 lifetime 43200
isakmp nat-traversal  30
tunnel-group ROBERT-GROUP type ipsec-ra
tunnel-group ROBERT-GROUP general-attributes
 address-pool ROBERT-POOL
 default-group-policy Robert-GP
tunnel-group ROBERT-GROUP ipsec-attributes
 pre-shared-key *
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
ssh version 2
console timeout 0
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
  inspect http
  inspect icmp
!
service-policy global_policy global
ssl encryption rc4-md5
Cryptochecksum:7351e447f85b5948361b649183a9c53d
: end
pixfirewall#