Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3357
Views
0
Helpful
20
Replies

PIX 501 config - access to internal network not working from remote VPN users - everything on the inside is OK

NewtoPIX111
Level 1
Level 1

‎10-30-2013 05:18 AM

One other thing - I had a problem with the key pairing so I rebuilt the rsa 1024 and the unit started working. Unfortunately I reloaded without the config in place and now I cannot get it to work again. Any help will be greatly apprecaited although I did review a dozen other posts of people having similar problems and for some reason there is never any conclusion as to the solution and I am not sure why.           

Some other info from the client end:

I just ran the stats on the client and packets are being encrypted BUT none are decrypted.

Also Tunnel received 0 and sent 115119

Encryption is 168-bit 3-DES

Authentication is HMAC-SHA1

also even though the allow LAN is selected in the Cisco VPN client it states the local LAN is disabled in the client stats

also Transparent tunneling is selcted but in the stats it states it is inactive

          

I am connecting with the Cisco VPN Client Ver 5.0.07.0440

This config works. It is on the internal net 192.168..40.x and all users obtain dhcp and surf the web. It has required ports opened.The problem is that you can connect remotely via the VPN and you receive an IP address from the remote-vpn pool but you cannot see any machines on the internal network. The pix is at 40.2 and you cannot ping the pix and the pix from the remote PC connecting via the VPN and youcannot ping the remote PC from the PIX console when the remote is connected and receives the first IP address in the VPN pool of 192.168.40.25


I need to  see the internal network and map network drives. I have another friend that is running the same config and it works but his computer is on a linksys wireless and has an IP of 192.168.1.x and the IP he receives from the VPN pool is 192.168.1.25 so I do not know if the same network is allowing this config to work even if there is an error in the config. In my present case I obtain the ip of 192.168.40.25 from the VPN pool and my connecting pc on 192.168.1.x    I really am not sure how the VPN virtual adapter works. I am assuming it routes all traffic from your connecting PC to and from the virtual adapater but I really do not know for sure.

Other people have had similar issues with accessing the internal network from the VPN. One solution was the split-tunnel, another was the natting and another had to do with the encrption where there and an issue with the encrypt and ecrypt which was stopping the communicaton via the VPN.

I still cannot seem to find the issue with this config and any help will be greatly appreciated.

This is the config

********************************************************


interface ethernet0 100full

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password somepassword

hostname hostname

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

object-group network internal_trusted_net

  network-object 192.168.40.0 255.255.255.0

object-group icmp-type icmp_outside

  icmp-object echo-reply

  icmp-object unreachable

  icmp-object time-exceeded

  icmp-object source-quench


access-list OutToIn permit icmp any xxx.xxx.xxx.0 255.255.255.248 object-group icmp_outside

access-list no_nat_inside permit ip 192.168.40.0 255.255.255.0 192.168.40.0 255.255.255.0

access-list split_tunnel permit ip 192.168.40.0 255.255.255.0 192.168.40.0 255.255.255.0


access-list OutToIn permit ip any any

access-list outbound permit ip any any

(NOTE: I had many more entries in the access list but removed them. Even with the above two allowing everything it does not work)

pager lines 24

mtu outside 1500

mtu inside 1500


ip address outside xxx.xxx.xxx.xxx 255.255.255.248

ip address inside 192.168.40.2 255.255.255.0


ip audit info action alarm

ip audit attack action alarm


ip local pool vpn_client_pool 192.168.40.25-192.168.40.30


pdm history enable

arp timeout 14400


global (outside) 1 interface

I had this statement missing from the previous posted config but even with the nat (inside) 0 access-list no_nat_inside  it still does not work.

nat (inside) 0 access-list no_nat_inside

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

access-group acl_outside_in in interface outside

access-group outbound in interface inside

route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1


timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 192.168.40.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community $XXXXXX$

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set 3des_strong esp-3des esp-sha-hmac

crypto dynamic-map clientmap 50 set transform-set 3des_strong

crypto map vpn 50 ipsec-isakmp dynamic clientmap

crypto map vpn client configuration address initiate

crypto map vpn client configuration address respond

crypto map vpn client authentication LOCAL

crypto map vpn interface outside

isakmp enable outside

isakmp identity address

isakmp client configuration address-pool local vpn_client_pool outside

isakmp nat-traversal 20

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup remote-vpn split-tunnel split_tunnel

vpngroup remote-vpn idle-time 10800

vpngroup remote-vpn password ANOTHER PASSWORD

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 outside

ssh 192.168.40.0 255.255.255.0 inside

ssh timeout 30

console timeout 60

dhcpd address 192.168.40.100-192.168.40.131 inside

dhcpd dns xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd enable inside

username AUSER password PASSWORD privilege 15

terminal width 80


****************** End of config

I have been searching docs and other people's postings trying to obtain the info to make this work. It appears pretty much boiler plate but I believe my problem is in the natting. I am using a range in the internal network for the VPN pool and I have tried switching this to other networks but this has not helped. Unfortunately I have been unable to get the PDM to work and I believe this is a PC config thing and I did not want to waste the time on it. I read a post where a person using the PDM interface with the same problem (not being able to access the internal network)  was able to go to a section in the VPN wizard and set the Address Exeption Translation. They said they originally set the VPN subnet when they did not have to. Many of the other blogs I read also stated that if the natting is not proper  for the VPN pool- that it will not work but I am confused by the examples. They show as I do the complete range for an access-list called no_nat_inside but I believe it should only have the VPN pool IP range and not the entire network since the others do require natting - not sure if my thought process is correct here. Any help will be greatly apprecaited. Also this morning I just tried a boiler plate example from CISCO and it also did not do what I need for it to do. And I also connect a PC to obtain an IP to see if I can see it - no good. The PC can ping the PIX and viceversa but no one can ping the remote PC that connects via the CISCO Remote VPN client even though it receive an address from the vpnpool. Also include LAN is checked off on the client. This was mentioned in anther post.

Thank you once again.

Labels:
0 Helpful
20 Replies 20

NewtoPIX111
Level 1
Level 1
In response to NewtoPIX111

‎10-31-2013 07:56 AM

Just made a change to the access list:

access-list outbound permit IP any THE INTERNAL NETWORK  255.255.255.0

And it is still working. Any thoughts?

Thank you very much for the ICMP fixup. I tried the config that is working now before and without it, the VPN did not work. Now it is working perfectly.

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to NewtoPIX111

‎10-31-2013 08:36 AM

Hi,

You dont actually need an ACL on the "outside" interface in your situation so you could remove it to avoid any breach in security of the network. You would only need the ACL on the "outside" interface if you have some Static NAT or Static PAT configuration required to host an internal servers service/port. You dont seem to have any so you dont need that ACL. You can leave the "inside" interface ACL.

The reason why you dont need an ACL on the "outside" interface is the fact that traffic coming from a VPN Connection is handled differently.

You have this setting on your PIX

sysopt connection permit-ipsec

This setting essentially enables all traffic coming from VPN to bypass the interfacel ACL of the interface that is terminating the VPN Connection. So in your case the "outside" interface. As I said, this setting only applies to traffic coming through a secure VPN Connection and nothing else.

I am not sure if the "fixup" command solved the case. It wouldnt seem likely but I am not sure. The main thing ofcourse is that connections work. Again if needed I can check the PIX configurations remotely and test the VPN Client if you run into problems.

Hope this helps

Please do remember to mark a reply as the correct answer if it has answered your question and/or rate helpfull answers.

Feel free to ask more question if needed though.

- Jouni

0 Helpful

NewtoPIX111
Level 1
Level 1
In response to Jouni Forss

‎10-31-2013 06:21 PM

I tried the sysopt connection permit-ipsec and removed the access-list statement and it did not work.

Then I inserted the access-list back and things went back to normal. Is this something to be concerned with?

Please let me know. Thank you

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to NewtoPIX111

‎11-01-2013 01:18 AM

Hi,

Please provide the current configuration.

Please also provide the exact configurations you changed related to the above situation.

- Jouni

0 Helpful

NewtoPIX111
Level 1
Level 1
In response to Jouni Forss

‎11-01-2013 03:47 PM

Weird findings.

Although the sysopt connection permit-ipsec did not work and the access-list statement did after a power cycle I discovered the the sysopt statement must be working -even though the access-list was active there were no hits on the hit counter when accessing the internal network. Before the sysopt comman every ping resulted in an increment in the hit counter on the access-list to allow the .40 network in on the outside interface. All is working well and the only thing that was changed was the fixup for the icmp. Another thing I noticed was the transparent tunneling -some times it is active and other times it is not. Can you let me know the advantage of having it running and also was the syntax is to enable it via the cli. Thank you for all of your help I really appreciate it. Take care.

0 Helpful

mfergusson
Level 1
Level 1
In response to NewtoPIX111

‎02-24-2018 02:12 AM

Hi, please can you post your final config. I’m having similar issues (and yes I know pix is really old)

thanks

Mark

0 Helpful
Customers Also Viewed These Support Documents