Re: PIX 515 ver 7 vpn config help

1qaz2wsx1qaz · ‎02-14-2006

Hi All,

I can get vpn to work if I use internal IP address's, however if I change the IP pool to a different subnet I am unable to connect from an external client to the internal network.

The client shows no secure routes listed under the client statistics option.

Can someone please tell me where the error is located inmy route or ACL?

Thanks in advance.

PIX Version 7.0(1)

names

!

interface Ethernet0

nameif Outside

security-level 0

ip address 192.168.1.253 255.255.255.0

!

interface Ethernet1

nameif inside

security-level 100

ip address 10.62.1.253 255.255.255.0

!

enable password xxx

passwd xxx

hostname

domain-name

ftp mode passive

access-list 101 extended permit ip 10.62.1.0 255.255.255.0 10.62.2.0 255.255.255.0

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu Outside 1500

mtu DMZ 1500

ip local pool vpn_in 10.62.2.1-10.62.2.254 mask 255.255.255.0

monitor-interface inside

monitor-interface Outside

monitor-interface DMZ

asdm image flash:/asdm-501.bin

asdm location 10.62.1.224 255.255.255.240 inside

no asdm history enable

arp timeout 14400

global (Outside) 10 interface

nat (inside) 0 access-list 101

nat (inside) 1 10.62.1.0 255.255.255.0

route Outside 0.0.0.0 0.0.0.0 192.168.1.254 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

group-policy try internal

group-policy try attributes

ipsec-udp enable

ipsec-udp-port 10000

vpn-idle-timeout 30

username testuser password xxx

privilege 0

username testuser attributes

vpn-group-policy try

username testvpn password xxx

username testvpn attributes

vpn-group-policy try

http server enable

http 10.62.1.0 255.255.255.0 inside

crypto ipsec transform-set myset esp-3des esp-sha-hmac

crypto dynamic-map dynmap 10 set transform-set myset

crypto dynamic-map rtpdynmap 20 set transform-set myset

crypto map mymap 20 ipsec-isakmp dynamic rtpdynmap

crypto map mymap interface Outside

isakmp identity address

isakmp enable Outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

tunnel-group try type ipsec-ra

tunnel-group try general-attributes

address-pool vpn_in

default-group-policy try

tunnel-group try ipsec-attributes

pre-shared-key welcome

!

class-map inspection_default

match default-inspection-traffic

!

policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

sachinraja · ‎02-14-2006

Hello,

The PIX configuration looks fine. Are you sure about the VPN client configs? have you enabled "allow local lan access" tab? why dont you do some debugs on the pix and see the packets?

Regards

Raj

1qaz2wsx1qaz · ‎02-14-2006

Hi Raj,

"Allow local LAN access" was not enabled. But the problem still exists, there is no secure route displayed on the client statistics screen?

The client stats show packets being sent but none recieved?

On the pix if I run sh ipsec sa I get:

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

#send errors: 0, #recv errors: 0

Any thoughts?

thamdani · ‎02-15-2006

Hi,

Check if VPN Client is also configured to use IPSec over UDP because that is what you have specified.

If you are behind any firewall,make sure that UDP 10000 port is open because that is what you have specified in the config which the pix listens for UDP traffic.

Tanveer

1qaz2wsx1qaz · ‎02-15-2006

Thanks for the suggestion.

The port is open.

When I use an internal IP address pool, everything works fine.

I am using the 4.8 vpn client and when I use the different subnet ip pool I am unable to get a secure route (see earlier mail)

I still can connect to the pix just not able to see any machines in the internal LAN.

Any other thoughts?

scheikhnajib · ‎02-16-2006

Hi,

I have a similar scenario with the same OS version and it's working fine for me. The only thing that I can think of is that you have forgot to run the command "sysopt permit connection-ipsec". In that case you need to run it or allow the traffic through an inbound ACL applied on the outside interface.

Anyway, I have attached my own config, so you can compare and you might find the missing ring here.

Good Luck.

Salem.

ali-franks · ‎02-16-2006

When you change the local pool subnet, be sure to change the Nat0 access-list to reflect the new subnet:

You have:

nat (inside) 0 access-list 101

access-list 101 extended permit ip 10.62.1.0 255.255.255.0 10.62.2.0 255.255.255.0

ip local pool vpn_in 10.62.2.1-10.62.2.254 mask 255.255.255.0

So make sure the ACL entries matches the pool destination subnet for the clients.

Salem has a good point also. Allow ISAKMP, ESP inbound on an ACL or user the sysopt command as he suggests.

Also, if the clients are behind a FW you also need to allow UDP 4500