Come Cisco! VPN can't see LAN

dennisvee · ‎09-18-2012

I can connect and ping with netbios and DNS names, but the nothing appears in Windows Explorer. I can navagate with \\server\share, but I want this to work like Cisco says it will.

This problm is all over Google and I need for someone to help me fix it. This is such a common problem, surley someone at Cisco has a clue.

Pix 501

Win 2003 server

Result of firewall command: "sh config"

: Saved

: Written by enable_15 at 18:18:27.362 UTC Tue Sep 18 2012

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname pixfirewall

domain-name axis.local

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol pptp 1723

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list Axis-VPN_splitTunnelAcl permit ip 192.168.1.0 255.255.255.0 any

access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 192.168.1.96 255.255.255.240

access-list inside_outbound_nat0_acl permit ip any 192.168.1.96 255.255.255.240

access-list outside_cryptomap_dyn_40 permit ip any 192.168.1.96 255.255.255.240

access-list outside_cryptomap_dyn_60 permit ip any 192.168.1.96 255.255.255.240

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside 18.17.1.2 255.255.255.248

ip address inside 192.168.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool VPN-Pool 192.168.1.101-192.168.1.110 mask 255.255.255.0

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

route outside 0.0.0.0 0.0.0.0 18.17.1.1 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection tcpmss 1300

sysopt connection permit-ipsec

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5

crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40

crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5

crypto dynamic-map outside_dyn_map 60 match address outside_cryptomap_dyn_60

crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map client authentication LOCAL

crypto map outside_map interface outside

isakmp enable outside

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

vpngroup Axis-VPN address-pool VPN-Pool

vpngroup Axis-VPN dns-server 192.168.1.10

vpngroup Axis-VPN wins-server 192.168.1.10

vpngroup Axis-VPN default-domain axis.local

vpngroup Axis-VPN split-tunnel Axis-VPN_splitTunnelAcl

vpngroup Axis-VPN split-dns axis.local

vpngroup Axis-VPN idle-time 1800

vpngroup Axis-VPN password ********

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.50-192.168.1.70 inside

dhcpd dns 167.206.112.138 167.206.7.4

dhcpd wins 192.168.1.10

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd domain axis.local

dhcpd auto_config outside

dhcpd enable inside

username dentest password 2bUGX7ZnEwBHIU2J encrypted privilege 15

terminal width 80

Cryptochecksum:b781be846bfe48c0d862036291e39811

Jennifer Halim · ‎09-18-2012

Seems like your ip pool for the vpn is in the same subnet as your internal network, and the internal network will try to ARP for it.

Please modify the pool to be a unique subnet, for example: 192.168.8.0/24

ip local pool VPN-Pool 192.168.8.101-192.168.8.110 mask 255.255.255.0

Then add the following for NAT exemption:

access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 192.168.8.0 255.255.255.0

And the match address for the vpn:

access-list outside_cryptomap_dyn_40 permit ip any 192.168.8.0 255.255.255.0

Lastly, "clear xlate" after the above changes.

dennisvee · ‎09-19-2012

How is thw world could that work?

That puts me on 192.168.8.0 network and the remote lan that I VPN into is a 192.168.1.0 network.

Please explain why that would possibly work?

My IP is now 192.168.8.101,.

I don't get it. How would changing my IP pool to an incorrect network help me connect?

Am I missing something here or is there more I have to do? because putting me on a different network just doesn't make sense.

dennisvee · ‎09-19-2012

..and naturally, I can't do anything to the remote LAN that I VPN to now. Before with the correct IP Pool I could ping the severs, but not see them in Win Explorer. Because they are 192.168.1.0 and I'm now 192.168.8.0.

Can anyone fron Cisco please assist????? Or explain why putting me on a differnet network would help?

Jennifer Halim · ‎09-19-2012

VPN Client should be on a different subnet because when you are connected, it is connected to the outside interface, not the inside interface hence it should be in a different subnet. It should be a routed subnet, not in the same subnet. because if it's in the same subnet, the host is just trying to ARP for it instead of routing it to the next hop.

So i assume that you added the NAT exemption access-list:

access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 192.168.8.0 255.255.255.0

and the dynamic map acl?

To make it simple, pls just remove the dynamic map acl:

no crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40

no crypto dynamic-map outside_dyn_map 60 match address outside_cryptomap_dyn_60

Then test it again and if it works fine, you can add them back in and troubleshoot further if it doesn't work.

If the above changes still doesn't work, pls share the following info:

1. Connect to the vpn client, and share a screenshot of the statistics and route page

2. On the PIX, share the output of:

show cry isa sa

show cry ipsec sa

3. Latest config after the changes.

dennisvee · ‎09-20-2012

That didn't work. I can still connect, but can't do anything now, because I'm on a differnet IP scheme then the LAN I VPN into.

What you are telling me to do is making things worse. Before I could at least ping the remote devices.

sh cry isa aa

isakmp enable outside

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

sh cry ipsec sa"

interface: outside

Crypto map tag: outside_map, local addr. 18.17.1.2

local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

remote ident (addr/mask/prot/port): (192.168.20.1/255.255.255.255/0/0)

current_peer: 96.250.177.237:51207

dynamic allocated peer ip: 192.168.20.1

PERMIT, flags={}

#pkts encaps: 36, #pkts encrypt: 36, #pkts digest 36

#pkts decaps: 36, #pkts decrypt: 36, #pkts verify 36

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: 18.17.1.2, remote crypto endpt.: 96.250.177.237

path mtu 1500, ipsec overhead 56, media mtu 1500

current outbound spi: 1931e19b

inbound esp sas:

spi: 0x2e27fda2(774372770)

transform: esp-3des esp-md5-hmac ,

in use settings ={Tunnel, }

slot: 0, conn id: 3, crypto map: outside_map

sa timing: remaining key lifetime (k/sec): (4607995/28263)

IV size: 8 bytes

replay detection support: Y

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0x1931e19b(422699419)

transform: esp-3des esp-md5-hmac ,

in use settings ={Tunnel, }

slot: 0, conn id: 4, crypto map: outside_map

sa timing: remaining key lifetime (k/sec): (4607996/28263)

IV size: 8 bytes

replay detection support: Y

outbound ah sas:

outbound pcp sas:

sh config

: Saved

: Written by enable_15 at 14:52:06.847 UTC Thu Sep 20 2012

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname pixfirewall

domain-name ciscopix.com

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list Axis-VPN_splitTunnelAcl permit ip 192.168.1.0 255.255.255.0 any

access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 192.168.1.96 255.255.255.240

access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 192.168.20.0 255.255.255.240

access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 192.168.20.0 255.255.255.0

access-list outside_cryptomap_dyn_40 permit ip any 192.168.20.0 255.255.255.240

access-list outside_cryptomap_dyn_40 permit ip any 192.168.20.0 255.255.255.0

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside 18.17.1.2 255.255.255.248

ip address inside 192.168.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool VPN-Pool 192.168.20.1-192.168.20.10

pdm location 192.168.1.96 255.255.255.240 outside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

route outside 0.0.0.0 0.0.0.0 18.17.1.1 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5

crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map client authentication LOCAL

crypto map outside_map interface outside

isakmp enable outside

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

vpngroup Axis-VPN address-pool VPN-Pool

vpngroup Axis-VPN dns-server 192.168.1.10

vpngroup Axis-VPN wins-server 192.168.1.10

vpngroup Axis-VPN default-domain axis.local

vpngroup Axis-VPN split-tunnel Axis-VPN_splitTunnelAcl

vpngroup Axis-VPN idle-time 1800

vpngroup Axis-VPN password ********

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.50-192.168.1.70 inside

dhcpd dns 167.206.112.138 167.206.7.4

dhcpd wins 192.168.1.10

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd domain axis.local

dhcpd auto_config outside

dhcpd enable inside

username dentest password 2bUGX7ZnEwBHIU2J encrypted privilege 15

username cmurcha password ouqdyA3s8ZAguJYz encrypted privilege 3

terminal width 80

Cryptochecksum:2e99cc37bcbfd86251743ef90668f379

Route Details from VPN client shows:

Local Lan Routes - blank

Secured Routes - 192.168.1.0 255.255.255.0

dennisvee · ‎09-20-2012

PDM returns these errors

The Cisco PDM did not understand the following commands while parsing the running congiguration.......

access-list outside_cryptomap_dyn_40 permit ip any 192.168.20.0 255.255.255.240

access-list outside_cryptomap_dyn_40 permit ip any 192.168.20.0 255.255.255.0

dennisvee · ‎09-20-2012

Why do things on my local lac keep messing with the remote lan?

wasn't the point of me changing my ip pool so ip's wouldn't conflict?

i have duplicate ips on both sides even though i changed my ip poo from 192.168.1.x. to 192.168.20.1 - 10, and it causes a bit of havoc because onside has a printer at 192.168.1.20 and here there is also a .20 device.