cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1639
Views
0
Helpful
2
Replies
Highlighted
Beginner

Pix 501 IPSec VPN no LAN access

I am attempting to setup an IPSec VPN in a basic small business scenario. I am able to connect to my pix 501 via IPSec VPN and browse the internet but I am unable to ping or connect to any devices in the remote LAN. Here is my config:

: Saved

:

PIX Version 6.3(3)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 WAN security0

nameif ethernet1 LAN security99

enable password xxxxxxxxxxxxx encrypted

passwd xxxxxxxxxxxxxxxxx encrypted

hostname snowball

domain-name xxxxxxxxxxxx.local

clock timezone PST -8

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol pptp 1723

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

no fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list acl_in permit udp any any eq domain

access-list acl_in permit udp any eq domain any

access-list acl_in permit tcp any any eq domain

access-list acl_in permit tcp any eq domain any

access-list acl_in permit icmp any any echo-reply

access-list acl_in permit icmp any any time-exceeded

access-list acl_in permit icmp any any unreachable

access-list acl_in permit tcp any any eq ssh

access-list acl_in permit tcp any any eq www

access-list acl_in permit tcp any any eq https

access-list acl_in permit tcp any host 192.168.5.30 eq 81

access-list acl_in permit tcp any host 192.168.5.30 eq 8081

access-list acl_in permit tcp any host 192.168.5.22 eq 8081

access-list acl_in permit icmp any any echo

access-list acl_in permit tcp host 76.248.x.x any

access-list acl_in permit tcp host 76.248.x.x any

access-list acl_in permit udp host 76.248.x.x any

access-list acl_out permit icmp any any

access-list acl_out permit ip any any

access-list acl_out permit icmp any any echo-reply

access-list acl_out permit icmp any any source-quench

access-list acl_out permit icmp any any unreachable

access-list acl_out permit icmp any any time-exceeded

access-list acl_out permit icmp any any echo

access-list no-nat permit icmp any any

access-list no-nat permit ip 192.168.5.0 255.255.255.0 172.16.0.0 255.255.0.0

access-list no-nat permit ip 172.16.0.0 255.255.0.0 any

access-list no-nat permit icmp any any echo-reply

access-list no-nat permit icmp any any source-quench

access-list no-nat permit icmp any any unreachable

access-list no-nat permit icmp any any time-exceeded

access-list no-nat permit icmp any any echo

pager lines 24

mtu WAN 1500

mtu LAN 1500

ip address WAN 65.74.x.x 255.255.255.240

ip address LAN 192.168.5.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool pptppool 172.16.0.2-172.16.0.13

pdm logging informational 100

pdm history enable

arp timeout 14400

global (WAN) 1 interface

nat (LAN) 0 access-list no-nat

nat (LAN) 1 0.0.0.0 0.0.0.0 0 0

static (LAN,WAN) 65.x.x.37 192.168.5.10 netmask 255.255.255.255 0 0

static (LAN,WAN) 65.x.x.36 192.168.5.20 netmask 255.255.255.255 0 0

static (LAN,WAN) 65.x.x.38 192.168.5.30 netmask 255.255.255.255 0 0

static (LAN,WAN) 65.x.x.39 192.168.5.40 netmask 255.255.255.255 0 0

static (LAN,WAN) 65.x.x.42 192.168.5.22 netmask 255.255.255.255 0 0

static (LAN,WAN) 65.x.x.43 192.168.5.45 netmask 255.255.255.255 0 0

static (LAN,WAN) 65.x.x.44 192.168.5.41 netmask 255.255.255.255 0 0

static (LAN,WAN) 65.x.x.45 192.168.5.42 netmask 255.255.255.255 0 0

static (LAN,WAN) 65.x.x.46 192.168.5.44 netmask 255.255.255.255 0 0

static (LAN,WAN) 65.x.x.41 192.168.5.21 netmask 255.255.255.255 0 0

access-group acl_in in interface WAN

access-group acl_out in interface LAN

route WAN 0.0.0.0 0.0.0.0 65.x.x.34 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

ntp server 72.14.188.195 source WAN

snmp-server host WAN 76.248.x.x poll

snmp-server location Sacramento

snmp-server contact sysadmin@blahblah.com

snmp-server community xxxxxxxxxxxxx

snmp-server enable traps

floodguard enable

fragment chain 1 WAN

sysopt connection permit-ipsec

sysopt connection permit-pptp

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto dynamic-map dynmap 10 set transform-set myset

crypto map mymap 10 ipsec-isakmp dynamic dynmap

crypto map mymap client configuration address initiate

crypto map mymap client configuration address respond

crypto map mymap interface WAN

isakmp enable WAN

isakmp nat-traversal 20

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup myvpn address-pool pptppool

vpngroup myvpn dns-server 192.168.5.44

vpngroup myvpn default-domain xxxxxxxxx.local

vpngroup myvpn split-tunnel no-nat

vpngroup myvpn idle-time 1800

vpngroup myvpn password ********

telnet 192.168.5.0 255.255.255.0 LAN

telnet timeout 5

ssh 192.168.5.0 255.255.255.0 LAN

ssh timeout 30

console timeout 0

vpdn group pptpusers accept dialin pptp

vpdn group pptpusers ppp authentication pap

vpdn group pptpusers ppp authentication chap

vpdn group pptpusers ppp authentication mschap

vpdn group pptpusers ppp encryption mppe 128

vpdn group pptpusers client configuration address local pptppool

vpdn group pptpusers client configuration dns 192.168.5.44

vpdn group pptpusers pptp echo 60

vpdn group pptpusers client authentication local

vpdn username xxxxxxxxx password *********

vpdn username xxxxxxxxx password *********

vpdn enable WAN

dhcpd address 192.168.5.200-192.168.5.220 LAN

dhcpd dns 192.168.5.44 8.8.8.8

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd enable LAN

username xxxxxxxxxxx password xxxxxxxxxx encrypted privilege 0

username xxxxxxxxxxx password xxxxxxxxxx encrypted privilege 0

terminal width 80

Cryptochecksum:xxxxxxxxxxxxxxxxxx

: end

I am sure it has something to do with NAT or an access list but I can't figure it out at all. I know this is a basic question but I would really appreaciate the help!
Thanks so much,
Trevor

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Cisco Employee

Re: Pix 501 IPSec VPN no LAN access

The "no-nat" ACL does not look correct, please kindly remove the following:

no access-list no-nat permit icmp any any

no access-list no-nat permit ip 172.16.0.0 255.255.0.0 any

no access-list no-nat permit icmp any any echo-reply

no access-list no-nat permit icmp any any source-quench

no access-list no-nat permit icmp any any unreachable

no access-list no-nat permit icmp any any time-exceeded

no access-list no-nat permit icmp any any echo

You should only have 1 line as follows:

access-list no-nat permit ip 192.168.5.0 255.255.255.0 172.16.0.0 255.255.0.0

Please "clear xlate" after the above changes.

Also, if you have any personal firewall enabled on the host that you are trying to connect to from the VPN Client, please disable it and try again. Windows personal firewall normally blocks traffic from different subnets.

Hope that helps.

View solution in original post

2 REPLIES 2
Highlighted
Cisco Employee

Re: Pix 501 IPSec VPN no LAN access

The "no-nat" ACL does not look correct, please kindly remove the following:

no access-list no-nat permit icmp any any

no access-list no-nat permit ip 172.16.0.0 255.255.0.0 any

no access-list no-nat permit icmp any any echo-reply

no access-list no-nat permit icmp any any source-quench

no access-list no-nat permit icmp any any unreachable

no access-list no-nat permit icmp any any time-exceeded

no access-list no-nat permit icmp any any echo

You should only have 1 line as follows:

access-list no-nat permit ip 192.168.5.0 255.255.255.0 172.16.0.0 255.255.0.0

Please "clear xlate" after the above changes.

Also, if you have any personal firewall enabled on the host that you are trying to connect to from the VPN Client, please disable it and try again. Windows personal firewall normally blocks traffic from different subnets.

Hope that helps.

View solution in original post

Highlighted
Beginner

Re: Pix 501 IPSec VPN no LAN access

Holy s&*t! That fixed it! Thanks so much!