Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
786
Views
0
Helpful
4
Replies

Successfully vpn, but can't hit servers. Can't ping from internal either

joneschw1
Level 1
Level 1

‎10-18-2004 12:05 PM - edited ‎02-21-2020 01:24 PM

Hi all, I have a PIX501 running 6.3.4. I have 3 problems:

1. I successfully establish a vpn, but I am unable to hit any of my internal resources (exchange, file server)

2. When I am physically on the internal (no vpn), I cannot ping outside addresses

3. I cannot telnet from the internal to the firewall. I can only configure via terminal

---Here is the relevant config as I see it.

hostname My-PIX501

domain-name mydomain.local

access-list outside_in deny ip 0.0.0.0 255.0.0.0 any

access-list outside_in deny ip 10.0.0.0 255.0.0.0 any

access-list outside_in deny ip 127.0.0.0 255.0.0.0 any

access-list outside_in deny ip 172.16.0.0 255.240.0.0 any

access-list outside_in deny ip 192.168.0.0 255.255.0.0 any

access-list outside_in deny ip 224.0.0.0 224.0.0.0 any

access-list outside_in permit tcp any host smallbiz eq https

access-list outside_in permit tcp any host smallbiz eq smtp

access-list outside_in permit tcp any host smallbiz eq pop3

access-list outside_in deny ip any any

access-list ping-acl permit icmp any any

access-list 101 permit ip 192.168.21.0 255.255.255.0 192.168.34.0 255.255.255.0

ip address outside 131.42.23.82 255.255.255.240

ip address inside 192.168.21.1 255.255.255.0

ip local pool pptp-vpdn 192.168.34.1-192.168.34.30

global (outside) 1 131.42.23.85-131.42.23.92

global (outside) 1 131.42.23.93

nat (inside) 0 access-list 101

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) 131.42.23.83 smallbiz netmask 255.255.255.255 0 0

static (inside,outside) 131.42.23.84 blackberry netmask 255.255.255.255 0 0

access-group outside_in in interface outside

route outside 0.0.0.0 0.0.0.0 131.42.23.81 1

telnet timeout 5

ssh timeout 5

console timeout 15

vpdn group 1 accept dialin pptp

vpdn group 1 ppp authentication pap

vpdn group 1 ppp authentication chap

vpdn group 1 ppp authentication mschap

vpdn group 1 ppp encryption mppe 40

vpdn group 1 client configuration dns smallbiz

vpdn group 1 pptp echo 60

vpdn group 1 client authentication local

vpdn username user1 password **********

vpdn username user2 password *********

vpdn enable outside

Labels:
0 Helpful
4 Replies 4

ddawson
Level 1
Level 1

‎10-18-2004 02:18 PM

1. You should have the command "sysopt connection permit-pptp" in your config. If you don't include that command you have to explicitly permit the traffic from VPN users through the PIX.

2. The PIX doesn't track the state of pings, so it doesn't allow them by default. You need to permit the ping replies in your access-list with something like this:

access-list outside_in permit icmp any any echo-reply

3. The PIX doesn't allow telnet connections by default. To enable them you need a command similar to this (which will allow all hosts on the inside subnet to telnet to the PIX):

telnet 192.168.21.0 255.255.255.0 inside

I hope this helps.

0 Helpful

joneschw1
Level 1
Level 1
In response to ddawson

‎10-20-2004 10:04 AM

Thanks DDawson. This fixed my issue.

0 Helpful

scoclayton
Level 7
Level 7

‎10-19-2004 05:41 AM

All points in the other post are good...I just wanted to throw a few more thoughts in.

1. Make sure 192.168.34.1-.30 is routed back to 192.168.21.1 on your internal LAN. This is usually only a problem when the PIX is not your default gateway (i.e. you have another device on your network acting as the default gateway).

2. I read this question as you are unable to ping 131.42.23.82 from the inside LAN. If you are trying to ping external addresses on the Internet from the PIX, then the other post is dead on. If you are referring to not being able to ping the PIX outside address, the behavior you are seeing is expected. Packets are not passed by the PIX unless they have a different ingress and egress interface. The PIX will not allow you to ping interfaces on the PIX unless you are directly attached to that interface.

Hope this helps.

Scott

0 Helpful

mathia5
Level 1
Level 1
In response to scoclayton

‎10-19-2004 10:22 AM

I had a similar problem with a 501 vpn connection. I could vpn into the 501 get a address off of the local network but couldnt see the servers. It ended up being the nat isakmp nat-traversal needed to be enabled. try that and see if it helps your problem.

0 Helpful
Customers Also Viewed These Support Documents