Hi,
I have configured PIX VPN to establish VPN tunnel between VPN concentrator. On my LAN we have installed VPN Client to connect to another VPN Server. I am able to connect to the server but cannot ping any server, same works from dialup.
Is there any configuration required ?
PIX Version 6.2(1)
nameif ethernet0 dmz security10
nameif ethernet1 inside security100
nameif ethernet2 outside security0
enable password XXXXXXXXX encrypted
passwd xxxxxxxxx
hostname XXXXXXX
domain-name XXXXXXXXX.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list inside permit tcp 192.168.x.x 255.255.255.0 any eq www
access-list inside permit tcp 192.168.x.x 255.255.255.0 any eq https
access-list inside permit tcp 192.168.x.x 255.255.255.0 any eq ftp
access-list inside permit tcp 192.168.x.x 255.255.255.0 any eq h323
access-list inside permit udp 192.168.x.x 255.255.255.0 any eq domain
access-list inside permit icmp 192.168.x.x 255.255.255.0 any
access-list inside permit ip 192.168.x.x 255.255.255.0 host 217.X.X.X (IP address of the VPN Server for VPN Clients on LAN)
access-list nonat permit ip 192.168.x.x 255.255.255.0 172.16.x.x 255.255.255.0
access-list nonat permit ip 192.168.x.x 255.255.255.0 172.16.x.x 255.255.255.0
access-list nonat permit ip 192.168.x.x 255.255.255.0 172.16.x.x 255.255.255.0
access-list nonat permit ip 192.168.x.x 255.255.255.0 172.16.x.x 255.255.255.0
access-list nonat permit ip 192.168.x.x 255.255.255.0 172.16.x.x 255.255.255.0
access-list vpn3000 permit ip 192.168.x.x 255.255.255.0 172.16.x.x 255.255.255.0
access-list vpn3000 permit ip 192.168.x.x 255.255.255.0 172.16.x.x 255.255.255.0
access-list vpn3000 permit ip 192.168.x.x 255.255.255.0 172.16.x.x 255.255.255.0
access-list vpn3000 permit ip 192.168.x.x 255.255.255.0 172.16.x.x 255.255.255.0
access-list vpn3000 permit ip 192.168.x.x 255.255.255.0 172.16.x.x 255.255.255.0
access-list vpn3000 permit ip 192.168.x.x 255.255.255.0 172.16.x.x 255.255.255.0
access-list vpn3000 permit ip 192.168.x.x 255.255.255.0 172.16.x.x 255.255.255.0
access-list vpn3000 permit ip 1192.168.x.x 255.255.255.0 172.16.x.x 255.255.255.0
access-list 101 permit tcp any host 217.x.x.x eq www
access-list 101 permit ip host 217.x.x.x host 201.x.x.x ( This is for connecting from VPN client to VPN Server)
pager lines 24
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
icmp deny any echo-reply outside
mtu dmz 1500
mtu inside 1500
mtu outside 1500
ip address dmz 10.0.0.1 255.0.0.0
ip address inside 192.168.x.x 255.255.255.0
ip address outside 217.x.x.x 255.255.255.248
ip audit info action alarm
ip audit attack action alarm
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 192.168.x.x 255.255.255.0 0 0
static (inside,outside) 217.x.x.x 192.168.x.x netmask 255.255.255.255 0 0
access-group 101 in interface outside
route outside 0.0.0.0 0.0.0.0 217.x.x.x 2
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto map mymap 10 ipsec-isakmp
crypto map mymap 10 match address vpn3000
crypto map mymap 10 set peer 202.x.x.x
crypto map mymap 10 set transform-set myset
crypto map mymap interface outside
isakmp enable outside
isakmp key xxxxxxxx address 202.x.x.x netmask 255.255.255.255
isakmp identity address
isakmp policy 5 authentication pre-share
isakmp policy 5 encryption 3des
isakmp policy 5 hash sha
isakmp policy 5 group 2
isakmp policy 5 lifetime 86400
