cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7727
Views
0
Helpful
45
Replies

Client connected to remote access VPN but got wrong default gateway

robert.huang
Level 1
Level 1

Hi All,

 

I have been struggling for some days and really need some help here. My PC (192.168.254.x) is on the same vlan with outside interface (192.168.254.171) of my PIX506E. When I launch the Cisco VPN client, my PC shows connected and gets the IP of 10.9.0.150 which is expected. However, it also gets the gateway of 10.9.0.1 which I have no idea where it comes from. Thus my PC can't access any internal  network or external network.

 

I've listed my configuration below and highlighted the part that I typed in. PIX version 7.1(2) is the highest version I can install on PIX506E. Please help. Thanks a lot.

 

pixfirewall# sh run
: Saved
:
PIX Version 7.1(2)
!
hostname pixfirewall
enable password 2KFQnbNIdI.2KYOU encrypted

names
!
interface Ethernet0
 nameif outside
 security-level 0
 ip address 192.168.254.171 255.255.255.0
!
interface Ethernet1
 nameif inside
 security-level 100
 ip address 10.10.10.1 255.255.255.0
!
passwd 2KFQnbNIdI.2KYOU encrypted

boot system flash:/pix712.bin
ftp mode passive
pager lines 24
logging enable
logging timestamp
logging buffered informational
mtu outside 1500
mtu inside 1500
ip local pool ROBERT-POOL 10.9.0.150-10.9.0.160 mask 255.255.255.0
no asdm history enable
arp timeout 14400
route outside 0.0.0.0 0.0.0.0 192.168.254.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy Robert-GP internal
group-policy Robert-GP attributes
 dns-server value 8.8.8.8
username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15
username robert password yXUoa8oHzS0Ncp2O encrypted
username robert attributes
 vpn-group-policy Robert-GP

aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set MYSET esp-3des esp-md5-hmac
crypto dynamic-map DYN1 1 set transform-set MYSET
crypto dynamic-map DYN1 1 set reverse-route
crypto map MYMAP 1 ipsec-isakmp dynamic DYN1
crypto map MYMAP interface outside
isakmp enable outside
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash sha
isakmp policy 1 group 2
isakmp policy 1 lifetime 43200
isakmp nat-traversal  30
tunnel-group ROBERT-GROUP type ipsec-ra
tunnel-group ROBERT-GROUP general-attributes
 address-pool ROBERT-POOL
 default-group-policy Robert-GP
tunnel-group ROBERT-GROUP ipsec-attributes
 pre-shared-key *

telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
ssh version 2
console timeout 0
ssl encryption rc4-md5
Cryptochecksum:7157c6095f2abae2aae9e15c1caa81aa
: end
pixfirewall#

45 Replies 45

I just tested with "same-security-traffic permit inter-interface". My VPN client 10.9.0.151 (original IP 192.168.254.111) still can't ping inside host 10.10.10.10. If I disconnect the VPN, the original IP can ping 10.10.10.10.10 without any problem which proves the end host 10.10.10.10 has correct gateway. I guess there is a problem with the access list. Again, VPN client can ping outside subnet and public IPs.

pixfirewall# sh run access-list
access-list nat0 extended permit ip 10.10.10.0 255.255.255.0 10.9.0.0 255.255.255.0
access-list nat-out extended permit ip 10.9.0.0 255.255.255.0 any
access-list nat0-out extended permit ip 10.9.0.0 255.255.255.0 192.168.254.0 255.255.255.0
access-list nat0-out extended permit ip 192.168.254.0 255.255.255.0 10.9.0.0 255.255.255.0
access-list outside-in extended permit ip 192.168.254.0 255.255.255.0 10.9.0.0 255.255.255.0
access-list outside-in extended permit icmp any any echo
access-list outside-in extended permit icmp any any echo-reply
access-list outside-in extended permit icmp any any unreachable
pixfirewall#
pixfirewall# sh run access-group
access-group outside-in in interface outside
pixfirewall#
pixfirewall# sh run nat
nat (outside) 0 access-list nat0-out
nat (outside) 1 access-list nat-out outside
nat (inside) 0 access-list nat0
pixfirewall#
pixfirewall# sh run global
global (outside) 1 interface
pixfirewall#
pixfirewall# sh run
: Saved
:
PIX Version 7.1(2)
!
hostname pixfirewall
enable password 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0
 nameif outside
 security-level 0
 ip address dhcp setroute
!
interface Ethernet1
 nameif inside
 security-level 100
 ip address 10.10.10.1 255.255.255.0
!
passwd 2KFQnbNIdI.2KYOU encrypted
boot system flash:/pix712.bin
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

access-list nat0 extended permit ip 10.10.10.0 255.255.255.0 10.9.0.0 255.255.255.0
access-list nat-out extended permit ip 10.9.0.0 255.255.255.0 any
access-list nat0-out extended permit ip 10.9.0.0 255.255.255.0 192.168.254.0 255.255.255.0
access-list nat0-out extended permit ip 192.168.254.0 255.255.255.0 10.9.0.0 255.255.255.0
access-list outside-in extended permit ip 192.168.254.0 255.255.255.0 10.9.0.0 255.255.255.0
access-list outside-in extended permit icmp any any echo
access-list outside-in extended permit icmp any any echo-reply
access-list outside-in extended permit icmp any any unreachable
pager lines 24
logging enable
logging timestamp
logging buffered informational
mtu outside 1500
mtu inside 1500
ip local pool ROBERT-POOL 10.9.0.150-10.9.0.160 mask 255.255.255.0
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (outside) 0 access-list nat0-out
nat (outside) 1 access-list nat-out outside
nat (inside) 0 access-list nat0
access-group outside-in in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.254.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy Robert-GP internal
group-policy Robert-GP attributes
 dns-server value 8.8.8.8
 vpn-tunnel-protocol IPSec
username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15
username robert password yXUoa8oHzS0Ncp2O encrypted
username robert attributes
 vpn-group-policy Robert-GP
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set MYSET esp-3des esp-md5-hmac
crypto dynamic-map DYN1 1 set transform-set MYSET
crypto map MYMAP 1 ipsec-isakmp dynamic DYN1
crypto map MYMAP interface outside
isakmp enable outside
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash sha
isakmp policy 1 group 2
isakmp policy 1 lifetime 43200
tunnel-group ROBERT-GROUP type ipsec-ra
tunnel-group ROBERT-GROUP general-attributes
 address-pool ROBERT-POOL
 default-group-policy Robert-GP
tunnel-group ROBERT-GROUP ipsec-attributes
 pre-shared-key *
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
ssh version 2
console timeout 0
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
  inspect http
  inspect icmp
!
service-policy global_policy global
ssl encryption rc4-md5
Cryptochecksum:0c6e2dbc774f2a63ac09ce94a2a974a0
: end
pixfirewall#

Can you please remove this user's profile attributes and try it.

 

username robert attributes
 no vpn-group-policy Robert-GP

Just executed "no vpn-group-policy Robert-GP" under Robert's attributes. Still got same thing. I can ping outside subnet and internet. But I can't ping inside host 10.10.10.10.

Can you remove the no-nat line below.

no nat (inside) 0 access-list nat0

and try it?

 

Just excuted  "no nat (inside) 0 access-list nat0". Same problem. I can ping outside subnet and internet. But I can't ping inside host 10.10.10.10. This IP of 10.10.10.10 is pingable by 192.168.254.111 when VPN gets disconnected.

pixfirewall# sh run nat
nat (outside) 0 access-list nat0-out
nat (outside) 1 access-list nat-out outside
pixfirewall# sh run nat
nat (outside) 0 access-list nat0-out
nat (outside) 1 access-list nat-out outside
pixfirewall#
pixfirewall# sh run access-list
access-list nat0 extended permit ip 10.10.10.0 255.255.255.0 10.9.0.0 255.255.255.0
access-list nat-out extended permit ip 10.9.0.0 255.255.255.0 any
access-list nat0-out extended permit ip 10.9.0.0 255.255.255.0 192.168.254.0 255.255.255.0
access-list nat0-out extended permit ip 192.168.254.0 255.255.255.0 10.9.0.0 255.255.255.0
access-list outside-in extended permit ip 192.168.254.0 255.255.255.0 10.9.0.0 255.255.255.0
access-list outside-in extended permit icmp any any echo
access-list outside-in extended permit icmp any any echo-reply
access-list outside-in extended permit icmp any any unreachable
pixfirewall#
pixfirewall# sh run global
global (outside) 1 interface
pixfirewall#

Reboot your PIX and then remote in.

Ping inside host

show crypto ipsec sa

 

post your output.

 

Reloaded the PIX. Please see below. Sorry I can't test between 8am-5pm EST. Have to go to work.

pixfirewall# sh crypto ipsec sa
interface: outside
    Crypto map tag: DYN1, seq num: 1, local addr: 192.168.254.171

      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      remote ident (addr/mask/prot/port): (10.9.0.150/255.255.255.255/0/0)
      current_peer: 192.168.254.111, username: robert
      dynamic allocated peer ip: 10.9.0.150

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 19, #pkts decrypt: 19, #pkts verify: 19
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 192.168.254.171, remote crypto endpt.: 192.168.254.111

      path mtu 1500, ipsec overhead 60, media mtu 1500
      current outbound spi: 9D6770BF

    inbound esp sas:
      spi: 0x69308CDD (1764789469)
         transform: esp-3des esp-md5-hmac
         in use settings ={RA, Tunnel, }
         slot: 0, conn_id: 1, crypto-map: DYN1
         sa timing: remaining key lifetime (sec): 28661
         IV size: 8 bytes
         replay detection support: Y
    outbound esp sas:
      spi: 0x9D6770BF (2640801983)
         transform: esp-3des esp-md5-hmac
         in use settings ={RA, Tunnel, }
         slot: 0, conn_id: 1, crypto-map: DYN1
         sa timing: remaining key lifetime (sec): 28660
         IV size: 8 bytes
         replay detection support: Y

pixfirewall#

As you can see, traffic is entering in via the remote-in connection and it is being decrypted, there is no return traffic is going back to remote-in tunnel peer.

- -- - -- - - - - -- - - -- - - -- - - - - - - -- - - - - - -

    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 19, #pkts decrypt: 19, #pkts verify: 19

- -- - -- - - - - -- - - -- - - -- - - - - - - -- - - - - - -

so create a capture on the firewall, whether you can see return traffic is coming back to firewall inside interface.

Capture must be applied to inside interface.

access-list rhuang extended permit ip 10.9.0.0 255.255.255.0 host 10.10.10.10
access-list rhuang extended permit host 10.10.10.10 10.9.0.0 255.255.255.0 

capture rhcapt access-list rhuang interface inside

now send traffic from vpn-clint to inside host.

last issue this command and exec mode

show capture rhcapt 

 

 

 

o packet was captured when my VPN client 10.9.0.150 trying to ping 10.10.10.10.

pixfirewall# sh run access-list
access-list nat0 extended permit ip 10.10.10.0 255.255.255.0 10.9.0.0 255.255.255.0
access-list nat-out extended permit ip 10.9.0.0 255.255.255.0 any
access-list nat0-out extended permit ip 10.9.0.0 255.255.255.0 192.168.254.0 255.255.255.0
access-list nat0-out extended permit ip 192.168.254.0 255.255.255.0 10.9.0.0 255.255.255.0
access-list outside-in extended permit ip 192.168.254.0 255.255.255.0 10.9.0.0 255.255.255.0
access-list outside-in extended permit icmp any any echo
access-list outside-in extended permit icmp any any echo-reply
access-list outside-in extended permit icmp any any unreachable
access-list rhuang extended permit ip 10.9.0.0 255.255.255.0 host 10.10.10.10
access-list rhuang extended permit ip host 10.10.10.10 10.9.0.0 255.255.255.0
pixfirewall#
pixfirewall#
pixfirewall# sh cap
capture rhcapt type raw-data access-list rhuang interface inside
pixfirewall#   
pixfirewall# sh cap rhcapt     
0 packet captured
0 packet shown
pixfirewall#
pixfirewall# sh cryp ipse sa
interface: outside
    Crypto map tag: DYN1, seq num: 1, local addr: 192.168.254.171

      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      remote ident (addr/mask/prot/port): (10.9.0.150/255.255.255.255/0/0)
      current_peer: 192.168.254.111, username: robert
      dynamic allocated peer ip: 10.9.0.150

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 11, #pkts decrypt: 11, #pkts verify: 11
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 192.168.254.171, remote crypto endpt.: 192.168.254.111

      path mtu 1500, ipsec overhead 60, media mtu 1500
      current outbound spi: CEB9AA2C

    inbound esp sas:
      spi: 0x1EABC711 (514574097)
         transform: esp-3des esp-md5-hmac
         in use settings ={RA, Tunnel, }
         slot: 0, conn_id: 1, crypto-map: DYN1
         sa timing: remaining key lifetime (sec): 28571
         IV size: 8 bytes
         replay detection support: Y
    outbound esp sas:
      spi: 0xCEB9AA2C (3468274220)
         transform: esp-3des esp-md5-hmac
         in use settings ={RA, Tunnel, }
         slot: 0, conn_id: 1, crypto-map: DYN1
         sa timing: remaining key lifetime (sec): 28568
         IV size: 8 bytes
         replay detection support: Y

pixfirewall#
pixfirewall# sh cap rhcapt 
0 packet shown
pixfirewall#

I am not so sure, why you cannot see the capture, even though we can see, 11 packets were decrypted.

Your configuration is just fine.

Save your configuration to a text file and "wr erase" everything on your PIX and build it from the scratch.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 

    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 11, #pkts decrypt: 11, #pkts verify: 11

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 

 

Just rebuilt the PIX from scratch. Still the same thing. The VPN IP 10.9.0.150 (original IP 192.168.254.111) can ping outside subnet and internet. But it can't ping inside host 10.10.10.10. This IP 10.10.10.10 is pingable by 192.168.254.111 when VPN gets disconnected.

I attached the latest show run.

I would suggest you to try with different device.

old device, cause unpredictable behaviors, this isn't a first time for me.

 

thanks

 

Hi Rizwan,

I've rated your answers. Thank you very much for your time.

Regards,

Robert

Hi Robert,

 

Try this line and let me know.

static (inside,outside) 10.0.0.0 10.0.0.0 netmask 255.0.0.0

 

thanks 

Didn't work. Once I added "static (inside,outside) 10.0.0.0 10.0.0.0 netmask 255.0.0.0". I can't ping 10.10.10.10. Further more, I even lost accessing outside subnet 192.168.254.0/24. Decrypted packets keep increasing and there is no encrypted packets for destination 10.10.10.0/24 and 192.168.254.0/24. Ping public IP like www.google.ca is OK.

Once I remove the line, accessing tside subnet 192.168.254.0/24 and public IP is OK.