Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
880
Views
0
Helpful
5
Replies

PIX VPN Question

efairbanks
Level 1
Level 1

‎12-24-2011 02:30 PM

All,  I am trying to setup a very basic VPN solution with my PIX 515 version 6.3 at home.  As of right now I can successfully connect from the client and can pass traffic through the VPN to inside hosts (i.e. ping), and the hosts respond (both directions verified using "debug ip trace" on the PIX), but the remote client isn't receiving the return traffic (verified using wireshark on the client).  The hosts on the internal network all see the MAC address for my remote client's VPN obtained IP as the MAC of the inside interface of the PIX itself (makes sense).

My setup right now is VERY basic - one network on the outside interface of the PIX where my client is, and one network on the inside where my home network is.  I will add routing to outside stuff later once I get basic VPN connectivity established. 

My subnets are as follows:

Outside - 192.168.1.0/24

Inside - 192.168.10.0/24

I know I am probably missing something very simple, but I am having issues finding it.  Any assistance would be greately appreciated.  Below is my complete config.

Thanks in advance.

-Erik

:

PIX Version 6.3(4)

interface ethernet0 100full

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

hostname HAL2000PIX

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names        

access-list 101 permit ip 192.168.10.0 255.255.255.0 192.168.10.0 255.255.255.0

pager lines 24

logging buffered debugging

mtu outside 1500

mtu inside 1500

ip address outside 192.168.1.1 255.255.255.0

ip address inside 192.168.10.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool vpnpool1 192.168.10.100-192.168.10.150

pdm history enable

arp timeout 14400

nat (inside) 0 access-list 101

route outside 0.0.0.0 0.0.0.0 192.168.1.2 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set trmset1 esp-aes-256 esp-sha-hmac

crypto dynamic-map map2 10 set transform-set trmset1

crypto map map1 10 ipsec-isakmp dynamic map2

crypto map map1 interface outside

isakmp enable outside

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption aes-256

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup HAL2000VPN address-pool vpnpool1

vpngroup HAL2000VPN dns-server 192.168.1.1

vpngroup HAL2000VPN default-domain hal2000.com

vpngroup HAL2000VPN split-tunnel 101

vpngroup HAL2000VPN idle-time 1800

vpngroup HAL2000VPN password ********

telnet timeout 5

ssh timeout 5

console timeout 0

terminal width 80

Labels:
0 Helpful
5 Replies 5

efairbanks
Level 1
Level 1
In response to andrew.prince

‎12-25-2011 09:38 AM

I figured out what I was doing wrong, but I am not 100% sure what the issue is.  I had the VPN DHCP pool on the same subnet as the inside interface of the PIX (not a separate subnet).  Once I changed the subnet to something different (same as the configuration guide) and added static routes on the hosts to the VPN-DHCP pool via the inside interface of the PIX, everything worked. 

Is it not possible to have VPN clients on the same subnet as hosts and the inside PIX interface?  Quick disclaimer, I am a R&S guy

Thanks for your help.

-Erik

0 Helpful

ajay chauhan
Level 7
Level 7
In response to efairbanks

‎12-26-2011 12:18 PM

You should not use same IPs assigned for your VPN pool. This way VPN will connect but you wont get access for internal resources.

Thanks

Ajay

0 Helpful

efairbanks
Level 1
Level 1
In response to ajay chauhan

‎12-26-2011 12:31 PM

Yeah, I see that, but honestly don't know enough about the PIX to know why that is a "rule"

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to efairbanks

‎12-26-2011 05:56 PM

Hello,

I would not say this is a PIX rule, it is more like a security approach to set up a remote client VPN on the best possible way.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Customers Also Viewed These Support Documents