Can log into vpn but stops there

[RonCSS]

515 Pix currently only need it for a vpn to our local network from offsite. Here's the config.

nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security10
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd BRZuZRbo127.Mrzz encrypted
hostname xxxxx
domain-name xxx.xxx
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list split permit ip 198.185.xxx.x 255.255.255.0 192.168.0.0 255.255.255.0
pager lines 24
logging on
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 100full
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside 198.185.18x.xx 255.255.255.0
ip address inside 198.185.17x.xx 255.255.255.0
ip address intf2 127.0.0.1 255.255.255.255
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnpool 192.168.0.1-192.168.0.254
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
failover ip address intf2 0.0.0.0
pdm location 198.185.xxx.xxx 255.255.255.0 outside
pdm logging notifications 100
pdm history enable
arp timeout 14400
nat (inside) 0 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 198.185.18x.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 198.185.xxx.xxx 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto dynamic-map dynmap 30 set transform-set myset
crypto map newmap 20 ipsec-isakmp dynamic dynmap
crypto map newmap interface outside
isakmp enable outside
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup cetvpn address-pool vpnpool
vpngroup cetvpn dns-server 198.185.xxx.xxx
vpngroup cetvpn wins-server 198.185.xxx.xxx
vpngroup cetvpn default-domain xxx.xxx
vpngroup cetvpn split-tunnel split
vpngroup cetvpn idle-time 1800
vpngroup cetvpn password ********
telnet 198.185.xxx.xxx 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 30
terminal width 80


When telneted into the pix i can ping both sides on the network internal and external. When I have the vpnclient running I can ping on the outside interface but tracert show it going thru the internet whether or not the allow local lan access is check. I cannot ping any machine with the outside class of ip's.
Also, in the router I have a static route for the 192.168.0.0/24 network to go to the inside Pix interface as cisco said to.

Does anyone see a problem of why I can't get to any internal machines?


Thanks,

Ron

 

[JohnGillam]

Hi rmagers

Did u resolve this at all..? I ask because I'm having the same issue with either split or no split tunnel mode. I'm at a loss as to where to trouble shoot as debugging isakmp and ipsec show the negotiation is all okay.

Looking at the client vpn stats packets get encrypted but never decrypted which implies an acl denying traffic back.

do you or anyone know if the acls applied in and outbound have any effect on the VPN?

Thanks...

 

[RonCSS]

Not resolved yet. Cisco thinks it may be a routing problem but I can't find anything wrong on the router. I've added the needed static route but no luck. I may move this to a higher priority with Cisco.

 

[JohnGillam]

Thanks for the update I will escalate to Cisco too. Thinking it may be an IOS bug I'm running:

Cisco PIX Firewall Version 6.2(2)
Cisco PIX Device Manager Version 2.0(2)
Compiled on Fri 07-Jun-02 17:49 by morlee
neo up 13 hours 25 mins
Hardware: PIX-515, 32 MB RAM, CPU Pentium 200 MHz
Flash i28F640J5 @ 0x300, 16MB

With the Client VPN Ver 3.5.1 is this consistant with you?

 

[yizhar]

HI.

> Also, in the router I have a static route for the 192.168.0.0/24 network ...
Which router?
If you're talking about the perimeter router (the default gateway of the pix, 198.185.18x.1), then this one does not participate because it can see and pass only the encrypted VPN traffic.
If you have additional router on the "inside" of the pix, then this one should also be specified in your pix routing table.

Please describe your network in more details, giving us the whole picture.

> Cisco thinks it may be a routing problem
I also think so.
Just think in mind that you are an IP packet, and follow the path from host to host, and then in the reverse direction... Don't take anything forgranted, try to follow the exact rules configured at any host (computer, pix, router).

Bye Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[RonCSS]

The router is a perimeter router. Here's the scenario we are trying to do currently. The pix will only be used for a vpn right now. I have a few off-site staff that need to access our local servers (Win2K etc). We have a Cisco 2651 Router with 3 T's coming into it. Inside the network we use 2 sets of class c addresses. The pix is plugged into a switch with one class as an external interface and one of the other class c address as an internal interface. Cisco said i need to use another class of addresses to hand out to the vpn clients. This may be overkill to use the Pix as only a vpn right now but I need to get the external users to our local servers.

Thanks,

Ron

 

[yizhar]

HI.

> access-list split permit ip 198.185.xxx.x 255.255.255.0 192.168.0.0 255.255.255.0

The above line should specify the internal address range 198.185.17x.xx . Is it currently so?

Try without the split-tunnel at all. What do you get?

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[RonCSS]

Yes the line is access-list split permit ip 198.185.17x.x 255.255.255.0 192.168.0.0 255.255.255.0

I have tried without the split tunnel and get the same results.

 

[RonCSS]

One FYI, I had someone using the vpn client logged into the pix. I did a show crypto ipsec sa. I can see decrypted packets but nothing encrypted. So it looks like once someone is logged in they cannot get outside the pix. From using telnet and logging into the pix I can ping around to different machine fine. Confusing???

 

[yizhar]

HI.

Please provide the phisical network diagram.
> " The pix is plugged into a switch with one class as an external interface and one of the other class c address as an internal interface "
Are both pix interfaces connected to the same switch (and same VLAN)?
If so, then change it, and redesign the whole network structure.
Connecting both interface to the same phisical network is a bad idea which leads to - routing problems, ARP problems, and security breaches.

If this is not the situation, please provide a diagram of phisical cabling and ip addressing.

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[RonCSS]

The only reason it's set up this way is to test the vpn currently.

Just got off the phone with Cisco. Here's what I did and it seems to work.

Remove:
nat (inside) 0 0.0.0.0 0.0.0.0
Remove:
nat (inside) 0 access-list inside_outbound_nat0_acl (wasn't there)

Add:
static (inside, outside) 198.185.17x.0 198.185.17x.0

This seems to work. Cisco could ping the servers and try to attach.

 

[yizhar]

HI.

> The only reason it's set up this way is to test the vpn currently.
Wrong way - the test network should be configured properly.
How are you planning to implement the real thing?

> This seems to work. Cisco could ping the servers and try to attach
But it could expose the servers to unprotected traffic (without VPN) as well. doesn't it?

If you're looking for a VPN device, better try the VPN 3xxx concenctrator which is better suited for the task then the pix, and (unlike the pix) supports the use of single interface for VPN.

You can also consider an additional Ethernet interface on the 26xx router that will connect to the pix outside interface, and then connect the insdie interface to the switch.

I assume that the 2651 router is acting as a firewall also, or isn't it so?
If you don't have another firewall, why are you planning to use the pix as a VPN device instead of placing it between the router and your network to protect it as a firewall?
Internet - router - pix - switch - servers

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[RonCSS]

Actually I am setting it up that way. Int-router-pix-switch. The router is acting as the firewall now. In fact I ordered the router with the extra ethernet just for this.

Thanks,

Ron

 

[JohnGillam]

Hi there.. I just resolved my issue in so much that the VPN Client will not work if it sits behind a device performing either NAT or PAT - which in my view is kinda pointless. Cisco's answer is buy a VPN Concentrator...

 

[JohnGillam]

Okay - rule number one never believe what a consultant tells you! My last post was incorrect. I never quite believed Cisco would produce a VPN client that would not not work with NAT or PAT so I played around with the acl until it worked (It's a home office solution using a SOHO70) - now it seems blindingly obvious that to allow the VPN client to work with nat or pat or behind a f/w just add:

access-list xxx permit esp any x.x.x.x y.y.y.y