cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
614
Views
0
Helpful
1
Replies
ada.chan
Beginner

Remote Access VPN on PIX506E

I have a simple Remote Access VPN setup on a PIX506E.Cisco Secure VPN Client can establish an IPSec tunnel VPN tunnel on the outside interface of the PIX and obtain IP Address from the vpn address pool.

The Remote VPN client is unable to access any resources on the inside nor

outside network. ie cannot ping, www,telnet or ftp etc to any hosts on the

inside network. This appears to be a static route issue or access control

list problem. Could anyone shed any light ?

PIX Version 6.3(1)

interface ethernet0 auto

interface ethernet1 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxxxx

passwd xxxxx

hostname pixfirewall

domain-name xxxx.com

clock timezone EST 10

clock summer-time EDT recurring last Sun Oct 2:00 last Sun Mar 3:00

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

names

access-list outside_access_in permit ip host 195.x.x.100 host 202.44.187.3

access-list outside_access_in permit ip 80.177.138.0 255.255.255.0 host

202.44.187.3

access-list outside_access_in permit ip 194.23.55.0 255.255.255.0 host

202.44.187.3

access-list outside_access_in permit ip host 203.41.143.148 any

access-list outside_access_in permit tcp any host 202.44.187.3 eq https

access-list outside_access_in permit tcp any host 202.44.187.3 eq www

access-list outside_access_in permit ip 199.0.0.0 255.0.0.0 any

pager lines 24

logging timestamp

icmp permit any outside

icmp permit any inside

mtu outside 1500

mtu inside 1500

ip address outside 202.x.x.x.x.255.248

ip address inside 193.0.0.254 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool xxxxvpnpool 199.0.0.1-199.0.0.200

pdm history enable

arp timeout 14400

global (outside) 1 202.44.187.2

nat (inside) 1 193.0.0.0 255.0.0.0 0 0

nat (inside) 1 199.0.0.0 255.0.0.0 0 0

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) 202.x.x.x.0.0.101 netmask 255.255.255.255 0 0

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 202.44.187.5 1

route outside 80.177.x.x.x.x.0 202.44.187.5 1

route outside 194.23.x.x.x.255.0 202.44.187.5 1

route outside 195.38.xx.x.x.255 202.44.187.5 1

route outside 199.0.0.x.x.x.x.44.187.5 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225

1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

ntp server 128.250.36.2 source outside prefer

http server enable

http 193.0.0.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto dynamic-map dynmap 10 set transform-set myset

crypto map mymap 10 ipsec-isakmp dynamic dynmap

crypto map mymap interface outside

isakmp enable outside

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup abcsvpn address-pool xxxxvpnpool

vpngroup abcsvpn dns-server 202.44.170.21

vpngroup abcsvpn default-domain

vpngroup abcsvpn idle-time 1800

vpngroup abcsvpn password xxxxx

ssh timeout 5

console timeout 0

dhcpd address 193.0.0.230-193.0.0.240 inside

dhcpd dns 202.44.x.x.x.170.22

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

dhcpd enable inside

1 REPLY 1
sunilyk
Beginner

Hi,

You need to put an access-list.

access-list 101 permit ip (inside IP address range) (Ip local pool).

Similarly do a nonat for this access-list

e.g nat (inside) 0 access-list 101

Regards,

Sunil

Create
Recognize Your Peers
Content for Community-Ad