PIX - 1760 VPN one way traffic

paul · ‎12-06-2004

Having a few issues connecting a PIX 501 to a Cisco 1760. The 1760 has been configured as a VPN server and has for months been working fine for remote users with the Cisco VPN Client software. I'm trying to get a "site to site" VPN working and have run into a brick wall. I'll paste the PIX and 1760 configs below. The network behind the 1760 is 10.10.10.x and the PIX dhcpd is giving out IPs in the 192.168.100.x range.

The tunnel "seems" ok as I can ping between sites and can map drives on machines behind the PIX from a host behind the 1760 - I can even VNC into a host behind the PIX from one behind the 1760. I can't, however, initiate anything from any host behind the PIX.

Does anyone have any ideas?

PIX config:

PIX Version 6.3(1)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxxxx encrypted

passwd xxxxx encrypted

hostname pixfirewall

domain-name xxxxx

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

names

pager lines 24

logging timestamp

logging trap debugging

logging host inside 192.168.100.10

mtu outside 1500

mtu inside 1500

ip address outside x.x.x.x x.x.x.x

ip address inside 192.168.100.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

arp timeout 14400

route outside 0.0.0.0 0.0.0.0 x.x.x.x (1760 public ip) 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contact

no snmp-server enable traps

floodguard enable

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.100.10-192.168.100.20 inside

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd option 150 ip 10.10.10.190

dhcpd enable inside

vpnclient server x.x.x.x (1760 public ip)

vpnclient mode network-extension-mode

vpnclient vpngroup xxxxx password xxxxx

vpnclient username xxxxx password xxxxx

vpnclient enable

terminal width 80

1760 Config as attachment as I'm over the size limit.

thisisshanky · ‎12-06-2004

I have a similar setup for my home office. I have a VPN running to a 3600 router. Two differences,

a. Easy VPN client configuration is in "client mode" and not "network extension mode"

b. PIX OS is 6.3.4

Have never had any issues!!

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus

paul · ‎12-07-2004

I've just upgraded to 6.3(4) and have changed the vpnclient mode to client-mode and now the situation is reversed!

I can, from behind the PIX, browse shares and ping hosts that are behind the 1760 but from a host behind the 1760 I can do nothing - not even ping, so this is kind of a step backwards ;)

e3343 · ‎12-07-2004

Have you added an access-list to allow 192.168.20.0 -50? or is your acl 11 a typo? A deny on your acl 120, so traffic isn't NAT'd to your .20 network. Also you have a local pool that gives out .0 You'd want to change that.

I'd look into creating a L2L connection between the PIX and the 1760 instead of client to server.

Hope that helps.