VPN client behind a pix not passing traffic

jfogg · ‎03-10-2004

I am trying to get the Cisco VPN client (winXP) to connect to a PIX, but the client is also behind a PIX and its not passing traffic (connects OK). The diagram goes like this...

vpnclient-->pix_1-->internet--pix_2-->target_network

Everthing looks good in the stats and I authenticate, but no traffic is passed. The virtual interface on the client PC shows up and the route tables look good. I recall there is something I need to do in PIX_1 to allow this to happen but I don't remember what it would be. PIX_2 is configured OK and accepts VPN connections for others just fine.

Additional info, PIX_1 is a 506E, PIX_2 is a 515. PIX_1 is in a SOHO DSL environment and has only one outside IP address. PIX_2 is in a corporate environment. For various reasons it is not desireable to set up a PIX-PIX vpn.

Has anyone dealt with this before?

mike-greene · ‎03-10-2004

Hi,

Can you post your PIX configs? Did you allow ESP traffic from the outside coming in on PIX_1?

jfogg · ‎03-10-2004

I haven't done anything to allow ESP inbound on PIX_1. I'll check CCO and see how to do allow it. Here is the pix-1 config (shortened). The ipsec config is to allow me to connect from outside and hopefully isn't going to affect what I am trying to do.

access-list outside_access_in permit tcp any interface outside eq smtp

access-list outside_access_in permit tcp any interface outside eq ssh

access-list outside_access_in permit tcp any interface outside eq 3389

access-list outside_access_in permit tcp any interface outside eq www

access-list inside_outbound_nat0_acl permit ip 192.168.99.0 255.255.255.0 192.168.99.192 255.255.255.224

access-list outside_cryptomap_dyn_20 permit ip any 192.168.99.192 255.255.255.224

icmp permit any inside

mtu outside 1500

mtu inside 1500

ip address outside pppoe setroute

ip address inside 192.168.99.1 255.255.255.0

ip local pool anse 192.168.99.201-192.168.99.211

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp interface ssh 192.168.99.11 ssh netmask 255.255.255.255 0 0

static (inside,outside) tcp interface smtp mailhost smtp netmask 255.255.255.255 0 0

static (inside,outside) tcp interface 3389 192.168.99.2 3389 netmask 255.255.255.255 0 0

static (inside,outside) tcp interface www 192.168.99.11 www netmask 255.255.255.255 0 0

access-group outside_access_in in interface outside

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

aaa-server radius (inside) host 192.168.99.3 (password) timeout 10

sysopt connection permit-ipsec

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map client authentication radius

crypto map outside_map interface outside

isakmp enable outside

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

vpngroup homeboy address-pool anse

vpngroup homeboy dns-server 192.168.99.3

vpngroup homeboy wins-server 192.168.99.3

vpngroup homeboy default-domain kendall.local

vpngroup homeboy idle-time 1800

vpngroup homeboy password ********

vpdn group pppoe_group request dialout pppoe

vpdn group pppoe_group localname (name)

vpdn group pppoe_group ppp authentication pap

vpdn username jandlfogg password *********

mike-greene · ‎03-10-2004

Hi,

Try this...

access-list outside_access_in permit esp host 192.168.99.0 255.255.255.0