Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

An oddity I cannot figure out

Status
Not open for further replies.
jgassner2

jgassner2

Technical User
Sep 19, 2003
26
0
0
US
Hi everyone,
I have a slight problem on my hands. Earlier I posted on how to get a client to pix vpn connection and I would like to thank the guys that help me get the connection. Now I have something else that I can't figure out. Let me describe the situation. Our company basically manages other people's networks and we need to be able to connect remotely to the customer's site to manage the devices(makes life easier). Anyway, I got the client to connect to the pix but, the client cannot get anywhere in the network (ie. ping, telnet, pdm). I don't see anything wrong in the configuration but then again I am only 20 and just starting out. If you get a chance could you tell me if I am missing something. Here is the most recent config (with changes for securtity reasons, don't want to lose my job). Sorry if there are errors with the changes, I tried to catch most of them. Thanks.

Building configuration...
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ************* encrypted
passwd *********** encrypted
hostname pix
domain-name anydomain.com
clock timezone CST -6
clock summer-time CDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list inside_outbound_nat0_acl permit ip any host 192.168.1.8
access-list inside_outbound_nat0_acl permit ip any host 192.168.1.9
access-list outsidedecryptoacl permit ip any host 192.168.1.8
access-list outsidedecryptoacl permit ip any host 192.168.1.9
access-list outsidedecryptoacl permit ip any 192.168.1.240 255.255.255.240
access-list 20 permit ip 172.16.16.16 255.255.255.240 192.168.1.8 255.255.255.254
access-list 20 permit ip 172.16.32.64 255.255.255.240 192.168.1.8 255.255.255.254
pager lines 24
logging on
logging timestamp
logging buffered debugging
icmp permit 172.16.16.16 255.255.255.240 outside
icmp permit host 172.16.16.20 outside
icmp permit host 172.16.32.75 outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside 172.16.42.138 255.255.255.248
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool Ignite 192.168.1.240-192.168.1.254
pdm location 172.16.16.16 255.255.255.240 outside
pdm location 192.168.1.8 255.255.255.255 inside
pdm location 192.168.1.9 255.255.255.255 inside
pdm location 192.168.1.10 255.255.255.255 inside
pdm location 192.168.1.11 255.255.255.255 inside
pdm location 192.168.1.12 255.255.255.255 inside
pdm location 192.168.1.13 255.255.255.255 inside
pdm location 172.16.32.64 255.255.255.240 outside
pdm location 172.16.32.75 255.255.255.255 outside
pdm location 172.16.16.20 255.255.255.255 outside
pdm location 192.168.1.8 255.255.255.255 outside
pdm location 192.168.1.9 255.255.255.255 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 172.16.42.137 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 172.16.16.20 255.255.255.255 outside
http 172.16.32.75 255.255.255.255 outside
http 192.168.1.8 255.255.255.255 inside
http 192.168.1.9 255.255.255.255 inside
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-l2tp
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto dynamic-map outsidedynomap 10 match address outsidedecryptoacl
crypto dynamic-map outsidedynomap 10 set transform-set ESP-DES-MD5
crypto map outsidemap 65535 ipsec-isakmp dynamic outsidedynomap
crypto map outsidemap client authentication LOCAL
crypto map outsidemap interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup (our group) address-pool Ignite
vpngroup (our group) split-tunnel 20
vpngroup (our group) idle-time 1800
vpngroup (our group) password (our password)
telnet 172.16.16.16 255.255.255.240 outside
telnet 172.16.32.64 255.255.255.240 outside
telnet 192.168.1.8 255.255.255.255 inside
telnet 192.168.1.9 255.255.255.255 inside
telnet 192.168.1.10 255.255.255.255 inside
telnet 192.168.1.11 255.255.255.255 inside
telnet 192.168.1.12 255.255.255.255 inside
telnet 192.168.1.13 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
management-access inside
console timeout 10
vpdn group 2 accept dialin l2tp
vpdn group 2 ppp authentication chap
vpdn group 2 client configuration address local Ignite
vpdn group 2 client configuration dns x.x.x.3 x.x.x.4
vpdn group 2 client authentication local
vpdn group 2 l2tp tunnel hello 60
vpdn username (our username) password (our password)
vpdn enable outside
dhcpd address 192.168.1.20-192.168.1.239 inside
dhcpd dns x.x.x.3 x.x.x.4
dhcpd lease 14400
dhcpd ping_timeout 750
dhcpd enable inside
username (username1) password (our password) encrypted privilege 15
username (username2) password (our password) encrypted privilege 15
terminal width 80
banner exec Welcome
banner login Authorized Users Only are allowed, Please Login:
banner motd .
banner motd
banner motd ***************************************************************
banner motd * Unauthorized access to this device is strictly prohibited. *
banner motd * All attempts to access are recorded, and reviewed daily. *
banner motd * Violations will be reported to the appropriate authorities. *
banner motd * Violators will be prosecuted. *
banner motd ***************************************************************
Cryptochecksum:323425a23063abb8cb49144a7abaadfd
: end
[OK]
 
Sort by date Sort by votes
add nat traversal support.

isakmp nat-traversal 20

The traversal support is not enabled by default. Btw what client are you using? ms or ciscos?
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
148
Sameer258
Sameer258
Sparrow4
  • Locked
  • Question
AnyConnect + Azure + SAML
Replies
0
Views
106
Sparrow4
Sparrow4
Tommy_T
  • Locked
  • Question
Sonic wall - Have an issue remotely connectioning VNC and SMB (and AFP) to one of the 2 ISP circuits
Replies
1
Views
125
nnaarrnn
nnaarrnn
XLNTech1
  • Locked
  • Question
iptables port forwarding
Replies
0
Views
126
XLNTech1
XLNTech1
ISDPCMAN
  • Locked
  • Question
Cannot connect to TZ-215 Sonicwall appliance with web browser!
Replies
0
Views
52
ISDPCMAN
ISDPCMAN

Part and Inventory Search

Sponsor

Back
Top