07-22-2009 07:21 AM
OK, this one has me puzzled. It has been a while since I configured a PIX for Client VPN access, so I dont know what I am missing. I have done quite a few ASA setups, no problem, but this PIX one has me stumped.
Internal network 192.168.1.0/24, VPN pool 192.168.10.0/24.
NoNat ACL 192.168.1.0/24 192.168.10.0/24
nat (inside) 0 access-list NoNat
VPN ACL 192.168.1.0/24 192.168.10.0/24
vpngroup group split-tunnel VPN
I am connecting OK, authenticating against radius, the route tab on the client shows 192.168.1.0/24, but I cant ping nor remote desktop to anything behind the PIX. I ran debug icmp trace and did not see any traffic either.
The show cry ips sa shows me encrypted and decrypted traffic though, the client only shows encrypted. The client is version 5.0.03.0560, PIX OS is 6.3(5)
I should note I tried this from both an XP machine and a Macbook. Same results.
07-22-2009 07:52 AM
Make sure ANY other device that does handle the routing on the network knows the 192.168.10.0/24 network is handled by the PIX.
HTH>
07-22-2009 08:19 AM
That's not a problem, the default gateway for everything is the PIX. Further troubleshooting has led me to show crypto map command to verify that the dynamic ACL is working, and I found something interesting. The ACL for no nat does not appear.
access-list dynacl18; 1 elements
access-list dynacl18 line 1 permit ip any host 192.168.10.1 (hitcnt=172)
I am not seeing
access-list dynacl17; 1 elements
access-list dynacl17 line 1 permit ip host (outside IP) host 192.168.10.1
as per the example found here
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a008009448c.shtml
I am seeing full traffic though, and this is what is puzzling me, it seems as the the client is blocking thr traffic.
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (192.168.10.1/255.255.255.255/0/0)
current_peer: :4203
dynamic allocated peer ip: 192.168.10.1
PERMIT, flags={}
#pkts encaps: 123, #pkts encrypt: 123, #pkts digest 123
#pkts decaps: 123, #pkts decrypt: 123, #pkts verify 123
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
Client
Packets
Encrypted 123
Decrypted 0
07-22-2009 08:44 AM
I found the problem, I had mistakenly thought Nat Traversal was enabled, I found it wasn't, that was the problem.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide