12-03-2010 05:49 AM - edited 02-21-2020 05:00 PM
Hi guys I could really do with your expert help.
I have been trying to configure a PIX515e running Ver 8.0(4) and ASDM Ver 6.1(5).
So far I have used ASDM to configure the device as I am very new to these devices and as for the Firewall aspect I am happy that the box is doing what it needs to do, however, the problem started when I configured the IPSEC VPN via the wizard.
I have been able to get a client connected and the settings have been drilled in, DNS servers and IP address etc., but, for some reason the client is not able to connect to the resources inside the protected network or outside for that matter. I have tried assigning static routes but to no avail.
I have reached a wall in what to do, I have read loads of PDF’s and manuals and searched through the forum but no go as yet.
I have attached the config so if someone could have a look at it for me I would really appreciate it.
If it’s any help I do not want split tunnelling enabled and would really like the client so only access services inside our network, web access will be via an MS ISA server. Also I can see in the log viewer the following being repeatedly.
3 Dec 03 2010 13:08:02 305005 172.19.130.28 53 No translation group found for udp src outside:172.19.131.100/50599 dst inside:172.19.130.28/53
This looks like the client trying to reach the DNS server.
Solved! Go to Solution.
12-03-2010 06:14 AM
Murray
Try adding this to your config -
access-list natex permit ip 172.19.128.0 255.255.252.0 172.19.131.0 255.255.255.0
nat (inside) 0 access-list natex
Jon
12-03-2010 06:08 AM
Here is the output from a route print from the client
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 172.19.131.1 172.19.131.100 26
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Persistent Routes:
Network Address Netmask Gateway Address Metric
0.0.0.0 0.0.0.0 172.19.131.1 1
12-03-2010 06:14 AM
Murray
Try adding this to your config -
access-list natex permit ip 172.19.128.0 255.255.252.0 172.19.131.0 255.255.255.0
nat (inside) 0 access-list natex
Jon
12-03-2010 06:21 AM
Jon
Thank you so much, your answer has resolved my issue.
Just so I understand what has happened can you give some explanation or point me in the direction of documentation that may help?
Many thanks
Murray
12-03-2010 06:26 AM
Murray
No problem, glad to have helped.
The error message was the key. Basically to go from outside to inside through the firewall, which you are doing when you come from the vpn client, you need either -
1) a static translation for the inside network
or
2) turn off NAT
or
3) a nat exemption (which is what we used in this case). The nat exemption simply turns off NAT for the IPs specfied in the access-list.
Hope this explains it, if you need further clarification just let me know.
Jon
12-03-2010 06:34 AM
Jon
I can see where your comming from, thanks.
Murray
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide