Solved: Remote access Help?

Murray Bown · ‎12-03-2010

Hi guys I could really do with your expert help.

I have been trying to configure a PIX515e running Ver 8.0(4) and ASDM Ver 6.1(5).

So far I have used ASDM to configure the device as I am very new to these devices and as for the Firewall aspect I am happy that the box is doing what it needs to do, however, the problem started when I configured the IPSEC VPN via the wizard.

I have been able to get a client connected and the settings have been drilled in, DNS servers and IP address etc., but, for some reason the client is not able to connect to the resources inside the protected network or outside for that matter. I have tried assigning static routes but to no avail.

I have reached a wall in what to do, I have read loads of PDF’s and manuals and searched through the forum but no go as yet.

I have attached the config so if someone could have a look at it for me I would really appreciate it.

If it’s any help I do not want split tunnelling enabled and would really like the client so only access services inside our network, web access will be via an MS ISA server. Also I can see in the log viewer the following being repeatedly.

3 Dec 03 2010 13:08:02 305005 172.19.130.28 53 No translation group found for udp src outside:172.19.131.100/50599 dst inside:172.19.130.28/53

This looks like the client trying to reach the DNS server.

Jon Marshall · ‎12-03-2010

Murray

Try adding this to your config -

access-list natex permit ip 172.19.128.0 255.255.252.0 172.19.131.0 255.255.255.0

nat (inside) 0 access-list natex

Jon

View solution in original post

Murray Bown · ‎12-03-2010

Here is the output from a route print from the client

IPv4 Route Table

===========================================================================

Active Routes:

Network Destination Netmask Gateway Interface Metric

0.0.0.0 0.0.0.0 172.19.131.1 172.19.131.100 26

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Persistent Routes:

Network Address Netmask Gateway Address Metric

0.0.0.0 0.0.0.0 172.19.131.1 1

Jon Marshall · ‎12-03-2010

Murray

Try adding this to your config -

access-list natex permit ip 172.19.128.0 255.255.252.0 172.19.131.0 255.255.255.0

nat (inside) 0 access-list natex

Jon

Murray Bown · ‎12-03-2010

Jon

Thank you so much, your answer has resolved my issue.

Just so I understand what has happened can you give some explanation or point me in the direction of documentation that may help?

Many thanks

Murray

Jon Marshall · ‎12-03-2010

Murray

No problem, glad to have helped.

The error message was the key. Basically to go from outside to inside through the firewall, which you are doing when you come from the vpn client, you need either -

1) a static translation for the inside network

or

2) turn off NAT

or

3) a nat exemption (which is what we used in this case). The nat exemption simply turns off NAT for the IPs specfied in the access-list.

Hope this explains it, if you need further clarification just let me know.

Jon

Murray Bown · ‎12-03-2010

Jon

I can see where your comming from, thanks.

Murray