12-24-2011 02:30 PM
All, I am trying to setup a very basic VPN solution with my PIX 515 version 6.3 at home. As of right now I can successfully connect from the client and can pass traffic through the VPN to inside hosts (i.e. ping), and the hosts respond (both directions verified using "debug ip trace" on the PIX), but the remote client isn't receiving the return traffic (verified using wireshark on the client). The hosts on the internal network all see the MAC address for my remote client's VPN obtained IP as the MAC of the inside interface of the PIX itself (makes sense).
My setup right now is VERY basic - one network on the outside interface of the PIX where my client is, and one network on the inside where my home network is. I will add routing to outside stuff later once I get basic VPN connectivity established.
My subnets are as follows:
Outside - 192.168.1.0/24
Inside - 192.168.10.0/24
I know I am probably missing something very simple, but I am having issues finding it. Any assistance would be greately appreciated. Below is my complete config.
Thanks in advance.
-Erik
:
PIX Version 6.3(4)
interface ethernet0 100full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname HAL2000PIX
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 101 permit ip 192.168.10.0 255.255.255.0 192.168.10.0 255.255.255.0
pager lines 24
logging buffered debugging
mtu outside 1500
mtu inside 1500
ip address outside 192.168.1.1 255.255.255.0
ip address inside 192.168.10.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnpool1 192.168.10.100-192.168.10.150
pdm history enable
arp timeout 14400
nat (inside) 0 access-list 101
route outside 0.0.0.0 0.0.0.0 192.168.1.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set trmset1 esp-aes-256 esp-sha-hmac
crypto dynamic-map map2 10 set transform-set trmset1
crypto map map1 10 ipsec-isakmp dynamic map2
crypto map map1 interface outside
isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup HAL2000VPN address-pool vpnpool1
vpngroup HAL2000VPN dns-server 192.168.1.1
vpngroup HAL2000VPN default-domain hal2000.com
vpngroup HAL2000VPN split-tunnel 101
vpngroup HAL2000VPN idle-time 1800
vpngroup HAL2000VPN password ********
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
12-25-2011 12:29 AM
Check out the below config example
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009442e.shtml
12-25-2011 09:38 AM
I figured out what I was doing wrong, but I am not 100% sure what the issue is. I had the VPN DHCP pool on the same subnet as the inside interface of the PIX (not a separate subnet). Once I changed the subnet to something different (same as the configuration guide) and added static routes on the hosts to the VPN-DHCP pool via the inside interface of the PIX, everything worked.
Is it not possible to have VPN clients on the same subnet as hosts and the inside PIX interface? Quick disclaimer, I am a R&S guy
Thanks for your help.
-Erik
12-26-2011 12:18 PM
You should not use same IPs assigned for your VPN pool. This way VPN will connect but you wont get access for internal resources.
Thanks
Ajay
12-26-2011 12:31 PM
Yeah, I see that, but honestly don't know enough about the PIX to know why that is a "rule"
12-26-2011 05:56 PM
Hello,
I would not say this is a PIX rule, it is more like a security approach to set up a remote client VPN on the best possible way.
Regards,
Julio
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide