PIX VPN Setup - IP POOL

1qaz2wsx1qaz · ‎01-26-2006

Hi All,

I am trying to setup an IP Pool on a different subnet than my local LAN. If I setup a vpn pool using my internal LAN addresses everything works fine.

When I use an IP Pool other than my local LAN, I can connect to the PIX and the VPN client PC can receive the settings from the PIX firewall, however I am unable to see the local LAN.

Below is the config, am I missing a route or an access-list?

All help gratefully appreciated.

PIX Version 7.0(1)

names

!

interface Ethernet0

nameif Outside

security-level 0

ip address 192.168.10.253 255.255.255.0

!

interface Ethernet1

nameif inside

security-level 100

ip address 10.10.10.253 255.255.255.0

!

interface Ethernet2

nameif DMZ

security-level 50

ip address 131.131.131.253 255.255.255.0

!

enable password xxxx

passwd xxxx

hostname pixfirewall

domain-name wtm

ftp mode passive

clock timezone EST 10

access-list Outside_access_in extended permit icmp any any

access-list inside_nat0_outbound extended permit ip any 10.10.10.224 255.255.255.240

access-list Outside_cryptomap_dyn_20 extended permit ip any 10.10.10.224 255.255.255.240

pager lines 24

logging asdm informational

mtu inside 1500

mtu DMZ 1500

mtu Outside 1500

ip local pool Dial-In 10.10.11.1-10.10.11.239 mask 255.255.255.0

monitor-interface inside

monitor-interface DMZ

monitor-interface Outside

asdm image flash:/asdm-501.bin

asdm location 10.10.10.224 255.255.255.240 inside

no asdm history enable

arp timeout 14400

global (Outside) 10 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 10 0.0.0.0 0.0.0.0

access-group Outside_access_in in interface Outside

route Outside 0.0.0.0 0.0.0.0 192.168.10.254 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

group-policy try internal

group-policy try attributes

dns-server value 10.10.10.16 10.10.10.2

username xxx password xxx encrypted privilege 0

username xxxx attributes

vpn-group-policy try

http server enable

http 10.10.10.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map Outside_dyn_map 20 match address Outside_cryptomap_dyn_20

crypto dynamic-map Outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto map Outside_map 65535 ipsec-isakmp dynamic Outside_dyn_map

crypto map Outside_map interface Outside

isakmp identity address

isakmp enable Outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

isakmp nat-traversal 20

telnet 10.10.10.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

tunnel-group try type ipsec-ra

tunnel-group try general-attributes

address-pool Dial-In

default-group-policy try

tunnel-group try ipsec-attributes

pre-shared-key welcome

!

class-map inspection_default

match default-inspection-traffic

!

policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

Cryptochecksum:xxxx

: end

varakantam · ‎01-26-2006

Just a casual perusal for your config shows issues with using "nat 0" nad access-lists for new ip pool configured for VPN Client. You need take into consideration that VPN clients traffic is considered to as comming from outside client so need to fulfill nat and acl conditions.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00800b6099.shtml