VPN Can Connect, Cannot Ping - HELP!

bean · ‎07-09-2003

We have a PIX 515E UR firewall in place on our network. We're trying to configure the VPN feature. I can connect to the PIX fine using the 3.6.4 VPN client, but once I'm connected, I cannot ping anything except for the (PIX) VPN endpoint address. The VPN client software is showing the following routes and it appears that all packets are being encrypted properly. I assume this is a NAT and or routing problem, but I don't know how to fix it.

The VPN client is assigned a 10.0.254.x address. I want that client to be able to access machines on the 10.0.0.x 255.255.255.240 network.

VPN Client Routes:

10.0.0.0 255.255.255.240

x.x.x.x 255.255.255.255

PIX configuration:

PIX Version 6.3(1)

interface ethernet0 100full

interface ethernet1 100full

interface ethernet2 100full

interface ethernet3 auto shutdown

interface ethernet4 auto shutdown

interface ethernet5 auto shutdown

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 ATI security90

nameif ethernet3 intf3 security15

nameif ethernet4 intf4 security20

nameif ethernet5 intf5 security25

hostname aus-pix515-1

domain-name xxxx.com

clock timezone CDT -6

clock summer-time CDT recurring

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

names

access-list WCT permit tcp any host x.x.x.x eq smtp

access-list WCT permit tcp any host x.x.x.x eq pop3

access-list WCT permit tcp any host x.x.x.x eq https

access-list WCT permit tcp any host x.x.x.x eq www

access-list WCT permit tcp any host x.x.x.x eq https

access-list WCT permit gre any host x.x.x.x

access-list WCT permit tcp any host x.x.x.x eq pptp

access-list WCT permit icmp any any

access-list WCT permit tcp any host x.x.x.x eq 3389

access-list WCT permit udp host 10.1.1.1 host x.x.x.x eq 2055

access-list WCT permit udp host 10.1.1.2 host x.x.x.x eq 2055

access-list WCT permit tcp any host x.x.x.x eq https

access-list 100 permit ip 10.0.0.0 255.255.255.240 10.0.254.0 255.255.255.128

pager lines 24

logging trap debugging

mtu outside 1500

mtu inside 1500

mtu ATI 1500

mtu intf3 1500

mtu intf4 1500

mtu intf5 1500

ip address outside x.x.x.x 255.255.255.248

ip address inside 192.168.1.1 255.255.255.0

ip address ATI 10.0.0.1 255.255.255.240 no ip address intf3

no ip address intf4

no ip address intf5

ip audit info action alarm

ip audit attack action alarm

ip local pool ATI_VPN 10.0.254.1-10.0.254.126

no failover

failover timeout 0:00:00

failover poll 15

no failover ip address outside

no failover ip address inside

no failover ip address ATI

no failover ip address intf3

no failover ip address intf5

pdm history enable

arp timeout 14400

global (outside) 1 x.x.x.x

nat (inside) 0 access-list 100

nat (inside) 1 192.168.1.0 255.255.255.0 0 0

static (inside,outside) x.x.x.x 192.168.1.10 netmask 255.255.255.255 0 0

static (inside,outside) x.x.x.x 192.168.1.3 netmask 255.255.255.255 0 0

static (ATI,outside) x.x.x.x 10.0.0.2 netmask 255.255.255.255 0 0

static (ATI,outside) x.x.x.x 10.0.0.3 netmask 255.255.255.255 0 0

static (ATI,outside) x.x.x.x 10.0.0.4 netmask 255.255.255.255 0 0

access-group WCT in interface outside

route outside 0.0.0.0 0.0.0.0 x.x.x.x 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

aaa authentication enable console LOCAL

aaa authentication telnet console LOCAL

no snmp-server location

snmp-server community qawsedrftg

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set myset esp-3des esp-md5-hmac

crypto dynamic-map dynmap 10 set transform-set myset

crypto map mymap 10 ipsec-isakmp dynamic dynmap

crypto map mymap client configuration address initiate

crypto map mymap client configuration address respond

crypto map mymap interface outside

isakmp enable outside

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup ATI1 address-pool ATI_VPN

vpngroup ATI1 dns-server x.x.x.x

vpngroup ATI1 default-domain secureach.com

vpngroup ATI1 split-tunnel 100

vpngroup ATI1 idle-time 1800

vpngroup ATI1 password ********

telnet 192.168.1.0 255.255.255.0 inside

telnet timeout 5

ssh 192.168.1.0 255.255.255.0 inside

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.100-192.168.1.200 inside

dhcpd dns x.x.x.x

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd domain xxxxx.com

dhcpd enable inside

username xxxx password xxxx encrypted privilege 15

mostiguy · ‎07-09-2003

Your nat 0 statement is wrong - you want to add the inside netblock to it so that reply traffic from the inside segment does not get natted to vpn users.

adding:

access-list 100 permit ip 192.168.1.0 255.255.255.0 10.0.254.0 255.255.255.128

should do the trick.

bean · ‎07-09-2003

No, I don't want VPN access to the inside interface (192.168.1.x). I want VPN access to the ATI interface (10.0.0.0/28). I already have the following in there:

access-list 100 permit ip 10.0.0.0 255.255.255.240 10.0.254.0 255.255.255.128

Jordan