cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
672
Views
0
Helpful
3
Replies

VPN Client 3.6.2A to PIX 501 - cannot ping inside interface or access PDM

stakano
Level 1
Level 1

I have built my tunnel and I can even ping a host on the inside.

36: Outbound ICMP echo reply (len 32 id 2 seq 7425) 192.168.3.100 > 192.168.3.100 > 192.168.12.1

37: Inbound ICMP echo request (len 32 id 2 seq 7681) 192.168.12.1 > 192.168.3.100 > 192.168.3.100

38: Outbound ICMP echo reply (len 32 id 2 seq 7681) 192.168.3.100 > 192.168.3.100 > 192.168.12.1

39: Inbound ICMP echo request (len 32 id 2 seq 7937) 192.168.12.1 > 192.168.3.100 > 192.168.3.100

40: Outbound ICMP echo reply (len 32 id 2 seq 7937) 192.168.3.100 > 192.168.3.100 > 192.168.12.1

41: Inbound ICMP echo request (len 32 id 2 seq 8193) 192.168.12.1 > 192.168.3.100 > 192.168.3.100

42: Outbound ICMP echo reply (len 32 id 2 seq 8193) 192.168.3.100 > 192.168.3.100 > 192.168.12.1

Problem, is that I cannot access the PDM or even ping the inside interface.

Here is my current config.

Any ideas? Thanks!

---------------------------------------

PIX Version 6.2(1)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

access-list 100 permit icmp any any echo-reply

access-list 100 permit icmp any any time-exceeded

access-list 100 permit icmp any any

access-list 100 permit tcp any host x.x.x.x eq ftp

access-list localtovpnclient permit ip 192.168.3.0 255.255.255.0 192.168.12.0 255.255.255.0

access-list nonatinside permit ip 192.168.3.0 255.255.255.0 192.168.12.0 255.255.255.0

pager lines 24

logging on

logging trap debugging

logging history debugging

interface ethernet0 10baset

interface ethernet1 10full

icmp permit any outside

mtu outside 1500

mtu inside 1500

ip address outside x.x.x.x 255.255.255.224

ip address inside 192.168.3.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool vpnclientpool 192.168.12.1-192.168.12.99

pdm history enable

arp timeout 14400

global (outside) 1 x.x.x.x

nat (inside) 0 access-list nonatinside

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) x.x.x.x 192.168.3.100 netmask 255.255.255.255 0 0

access-group 100 in interface outside

route outside 0.0.0.0 0.0.0.0 x.x.x.x 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 192.168.3.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

no floodguard enable

sysopt connection permit-ipsec

no sysopt route dnat

service resetinbound

crypto ipsec transform-set mytransform esp-des esp-md5-hmac

crypto dynamic-map mydynmap 10 set transform-set mytransform

crypto map mymap 100 ipsec-isakmp dynamic mydynmap

crypto map mymap client configuration address initiate

crypto map mymap client configuration address respond

crypto map mymap interface outside

isakmp enable outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup vpn3000 address-pool vpnclientpool

vpngroup vpn3000 dns-server 142.77.2.36

vpngroup vpn3000 split-tunnel localtovpnclient

vpngroup vpn3000 idle-time 1800

vpngroup vpn3000 password ********

telnet 192.168.3.100 255.255.255.255 inside

telnet timeout 5

terminal width 80

3 Replies 3

andre.frost
Level 1
Level 1

Hi

you can find that in every PIX document that you never can ping the opposide interface of the PIX but all other hosts in the net, if allowed.

I should be able to access the PDM if I'm tunnelled in right?

No, You can not reach the inside interface directly if you are coming from the internet.

Regards,

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: