06-09-2003 04:54 AM - edited 02-21-2020 12:35 PM
Hi,
I have a Pix 515 which is Connected to a branch office Pix and the PIX to PIX VPN is working fine without any Errors / Issues.
I am now Configuring a Client 3.5 VPN to Get Connected to access the LAN.
The Client Can Log into the PIX , and Get an IP address from the Local IP Pool.
But the Client is NOT ABLE TO PING any IP address on the LAN.
Any Clues where I could be Wrong .....
sh conf
: Saved
:
PIX Version 6.1(1)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
enable password ***
passwd *** encrypted
hostname moti-firewall
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list 110 permit ip 128.0.2.0 255.255.255.0 129.0.2.0 255.255.255.0
access-list 110 permit ip 128.0.2.0 255.255.255.0 130.0.2.0 255.255.255.0
pager lines 24
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside X.X.X.178 255.255.255.240
ip address inside 128.0.2.100 255.255.0.0
ip address dmz 127.0.0.1 255.255.255.255
ip audit info action alarm
ip audit attack action alarm
ip local pool mypool 130.0.2.1-130.0.2.50
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
failover ip address dmz 0.0.0.0
pdm history enable
arp timeout 14400
global (outside) 1 X.X.X.179
nat (inside) 0 access-list 110
nat (inside) 1 128.0.2.0 255.255.255.0 0 0
nat (inside) 1 128.0.0.0 255.255.0.0 0 0
nat (inside) 1 128.0.0.0 255.0.0.0 0 0
static (inside,outside) X.X.X.180 128.0.2.5 netmask 255.255.255.255 0 0
conduit permit icmp any any
conduit permit tcp host X.X.X.180 eq smtp any
conduit permit tcp host X.X.X.180 eq domain any
conduit permit tcp host X.X.X.180 eq www any
route outside 0.0.0.0 0.0.0.0 X.X.X.177 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map transam 1 ipsec-isakmp
crypto map transam 1 match address 110
crypto map transam 1 set peer Y.Y.Y.106
crypto map transam 1 set transform-set myset
crypto map transam 20 ipsec-isakmp dynamic dynmap
crypto map transam interface outside
isakmp enable outside
isakmp key ******** address Y.Y.Y.106 netmask 255.255.255.255
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 1000
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup motiuae address-pool mypool
vpngroup motiuae dns-server 128.0.2.7
vpngroup motiuae wins-server 128.0.2.7
vpngroup motiuae idle-time 1800
vpngroup motiuae password ********
telnet 128.0.0.0 255.255.0.0 inside
telnet 128.0.0.0 255.255.0.0 dmz
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:18ae397f9b63fb97f3dad62897604ee4
moti-firewall#
Thanx in Advance.
Tauseef
06-09-2003 07:53 PM
You've told the PIX that the traffic to encrypt and send over the L2L tunnel matches access-list 110. ACL 110 has traffic from your local subnet going to the VPN pool of addresses for the clients (2nd line). When a client connects and pings, their ping packet will reach the internal host and be replied to. When the reply hits the PIX, it'll go through the crypto map entries starting from the top down. The first crypto map section is the L2L tunnel (transam 1) which tells the PIX to send this traffic over it, therefore the reply gets sent over the L2L tunnel rather than sent back to the client.
You need to separate your L2L ACL and your NAT 0 ACL, so do this:
> access-list 100 permit ip 128.0.2.0 255.255.255.0 129.0.2.0 255.255.255.0
> crypto map transam 1 match address 100
This will leave your nat 0 ACL intact, but change your L2L crypto map ACL to only specify the L2L traffic, rather than the client traffic also.
06-10-2003 03:34 AM
Hi ,
Thanx for the Input , but Alas its ending up the same result.
The VPN Client 3.5 Gets Authenticated , Gets An IP Address , But does not ping any Workstation /Server within the LAN .
The Updated Config is as follows :-
: Saved
:
PIX Version 6.1(1)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
enable password ***
passwd *** encrypted
hostname moti-firewall
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list 110 permit ip 128.0.2.0 255.255.255.0 129.0.2.0 255.255.255.0
access-list 110 permit ip 128.0.2.0 255.255.255.0 130.0.2.0 255.255.255.0
access-list 100 permit ip 128.0.2.0 255.255.255.0 129.0.2.0 255.255.255.0
pager lines 24
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside X.X.X.178 255.255.255.240
ip address inside 128.0.2.100 255.255.0.0
ip address dmz 127.0.0.1 255.255.255.255
ip audit info action alarm
ip audit attack action alarm
ip local pool mypool 130.0.2.1-130.0.2.50
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
failover ip address dmz 0.0.0.0
pdm history enable
arp timeout 14400
global (outside) 1 X.X.X.179
nat (inside) 0 access-list 110
nat (inside) 1 128.0.2.0 255.255.255.0 0 0
nat (inside) 1 128.0.0.0 255.255.0.0 0 0
nat (inside) 1 128.0.0.0 255.0.0.0 0 0
static (inside,outside) X.X.X.180 128.0.2.5 netmask 255.255.255.255 0 0
conduit permit icmp any any
conduit permit tcp host X.X.X.180 eq smtp any
conduit permit tcp host X.X.X.180 eq domain any
conduit permit tcp host X.X.X.180 eq www any
route outside 0.0.0.0 0.0.0.0 X.X.X.177 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map transam 1 ipsec-isakmp
crypto map transam 1 match address 100
crypto map transam 1 set peer Y.Y.Y.106
crypto map transam 1 set transform-set myset
crypto map transam 20 ipsec-isakmp dynamic dynmap
crypto map transam interface outside
isakmp enable outside
isakmp key ******** address Y.Y.Y.106 netmask 255.255.255.255
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 1000
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup motiuae address-pool mypool
vpngroup motiuae dns-server 128.0.2.7
vpngroup motiuae wins-server 128.0.2.7
vpngroup motiuae idle-time 1800
vpngroup motiuae password ********
telnet 128.0.0.0 255.255.0.0 inside
telnet 128.0.0.0 255.255.0.0 dmz
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:18ae397f9b63fb97f3dad62897604ee4
Any more inputs that could just fix up the missing link.
Thanx !
Tauseef
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide