Cisco PIX 506e configuration question?

[gturrubi]

I configured a PIX 506e connected to out ISP router on the outside and connected to our switches on the inside interface.

This configuration will change once I receive our internal router and configure the PIX internal interface to connect to our router.

I can connect to our PIX from the outside via the Cisco vPN client version 4.05 but I can not connect to internal systems. I do notce that the default gateway is the ip address that my client receive which is wrong.

Any help would be appreciated below is my configuration...


sh run
: Saved
:
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 6dUVe2rtumlnXwYn encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname NANINET
domain-name nationalable.org
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
<--- More --->

names
access-list inside_outbound_nat0_acl permit ip 10.0.0.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list NAN_splitTunnelAcl permit ip 192.168.1.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list outside_cryptomap_dyn_20 permit ip 192.168.1.0 255.255.255.0 10.0.0.0 255.255.255.0
pager lines 24
logging on
logging buffered notifications
logging history notifications
mtu outside 1500
mtu inside 1500
ip address outside 65.104.191.195 255.255.255.192
ip address inside 10.0.0.3 255.255.255.0
ip verify reverse-path interface outside
ip audit info action alarm
ip audit attack action alarm
ip local pool NANR 192.168.1.1-192.168.1.254
pdm location 10.0.0.0 255.255.255.0 inside
pdm location 192.168.1.0 255.255.255.0 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
<--- More --->

timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 10.0.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
<--- More --->

isakmp enable outside
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup NAN address-pool NANR
vpngroup NAN dns-server 10.0.0.5 10.0.2.5
vpngroup NAN default-domain nationalable.org
vpngroup NAN split-tunnel NAN_splitTunnelAcl
vpngroup NAN idle-time 1800
vpngroup NAN password ********
telnet 10.0.0.0 255.255.255.0 inside
telnet timeout 5
ssh 10.0.0.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
username gturrubi password MvM54o1i96zn20ui encrypted privilege 15
vpnclient mode client-mode
vpnclient vpngroup NAN password ********
<--- More --->

terminal width 80
Cryptochecksum:26c9e929a2a96b5b29fca7ce2e44d945
: end
:
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 6dUVe2rtumlnXwYn encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname NANINET
domain-name anyname.org
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
<--- More --->

names
access-list inside_outbound_nat0_acl permit ip 10.0.0.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list outside_cryptomap_20 permit ip any 192.168.1.0 255.255.255.0
access-list nonat permit ip 10.0.0.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any time-exceeded
access-list 100 permit icmp any any unreachable
pager lines 24
logging on
logging buffered errors
logging trap notifications
icmp permit any outside
mtu outside 1500
mtu inside 1500
ip address outside xxx.xxx.xxx.xxx 255.255.255.240
ip address inside 10.0.0.3 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool NANR 192.168.1.1-192.168.1.254
pdm location 10.0.0.0 255.255.255.0 inside
pdm location 192.168.1.0 255.255.255.0 outside
pdm location 10.0.0.0 255.255.255.255 inside
pdm logging informational 100
pdm history enable
<--- More --->

arp timeout 14400
global (outside) 1 interface
global (outside) 1 xxx.xxx.xxx.xxx
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 64.50.54.62 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 10.0.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server inside 10.0.0.0 255.255.255.0
floodguard enable
<--- More --->

sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client configuration address respond
crypto map outside_map client authentication LOCAL
crypto map outside_map interface outside
isakmp enable outside
isakmp client configuration address-pool local NANR outside
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup NAN address-pool NANR
vpngroup NAN dns-server 10.0.0.5 10.0.2.5
vpngroup NAN default-domain nationalable.org
vpngroup NAN idle-time 1800
vpngroup NAN password ********
telnet 10.0.0.0 255.255.255.0 inside
telnet timeout 5
ssh 10.0.0.0 255.255.255.0 inside
ssh 10.0.0.0 255.255.255.255 inside
<--- More --->

ssh timeout 5
console timeout 0
username xxx password MvM54o1i96zn20ui encrypted privilege 15
vpnclient mode client-mode
vpnclient vpngroup NAN password ********
terminal width 80
Cryptochecksum:618464e4a1821a6436d6bfd49fca69c8
: end

 

[Dimpa1]

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009442e.shtml

That's what you will see as the default gateway, the clients ip address that you obtained through vpn. It's not cisco configuration that causes that, MS does that. It however should work.

Did you use PDM to configure this? Try adding the below statement and let me know how it goes.

access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 10.0.0.0 255.255.255.0



"Unemployed"

 

[Dimpa1]

Whoops, dont use the command I sent previously. Use this:

access-list NAN_splitTunnelAcl permit ip 10.0.0.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list outside_cryptomap_dyn_20 permit ip 10.0.0.0 255.255.255.0 192.168.1.0 255.255.255.0

 

[LloydSev]

You might even want to look at changing your interface speed from auto to 100full, or whatever speed your connection is. Not sure how many problems that can cause being on auto, but cisco recommends that you change it.

Computer/Network Technician
CCNA

 

[gturrubi]

Dimpa1 - This did not work. I added the ACLs but I can not get onto the remote network. I hit the Firewall just fine but I can't get onto the 10.0.0.0 private network.

Any other Ideas?

 

[Dimpa1]

I know this is a little step back. Take out all vpn config and follow this link. It always worked for me.

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009442e.shtml

Are you using MS vpn client also? Since you have this configured:
username xxx password MvM54o1i96zn20ui encrypted privilege 15
vpnclient mode client-mode
vpnclient vpngroup NAN password ********

 

[Dimpa1]

So does the client connect, but just cant ping the internal network? If so, most likely it is your access-list configurations.

 

[sikek]

Check and see if you are getting any hits on your access-list for access-list inside_outbound_nat0_acl permit ip 10.0.0.0 255.255.255.0 192.168.1.0 255.255.255.0
.Also like Dimpa1 said are you trying to ping the internal network from you client ? Also have you try mapping to a network resource?

 

[gturrubi]

I connect to the firewall but that's it no access to the internal network. Either mapping a persistant connection or new connection. I can not ping any internal hosts either.

Any ideas, What would I need to add or change in the access-lists?

Thanks

 

[Dimpa1]

What is the address of the internal host that you are trying to ping? Send me the current access-list, nat, and crypto...

 

[gturrubi]

Dimpa1 - I am trying to access a 10.0.0.xxx list of devices

here are the access list.





access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 1024)
alert-interval 300
access-list inside_outbound_nat0_acl; 1 elements
access-list inside_outbound_nat0_acl line 1 permit ip 10.0.0.0 255.255.255.0 192
.168.1.0 255.255.255.0 (hitcnt=0)
access-list NAN_splitTunnelAcl; 1 elements
access-list NAN_splitTunnelAcl line 1 permit ip 10.0.0.0 255.255.255.0 192.168.1
.0 255.255.255.0 (hitcnt=0)
access-list outside_cryptomap_20; 1 elements
access-list outside_cryptomap_20 line 1 permit ip any 192.168.1.0 255.255.255.0
(hitcnt=0)
access-list nonat; 1 elements
access-list nonat line 1 permit ip 10.0.0.0 255.255.255.0 192.168.1.0 255.255.25
5.0 (hitcnt=0)
access-list 100; 3 elements
access-list 100 line 1 permit icmp any any echo-reply (hitcnt=0)
access-list 100 line 2 permit icmp any any time-exceeded (hitcnt=0)
access-list 100 line 3 permit icmp any any unreachable (hitcnt=0)
access-list outside_cryptomap_dyn_20; 1 elements
access-list outside_cryptomap_dyn_20 line 1 permit ip 10.0.0.0 255.255.255.0 192
.168.1.0 255.255.255.0 (hitcnt=0)

 

[Dimpa1]

Resend the current config again and let me see what is currently there.

 

[gturrubi]

Dimpa1, Here is the current configuration. I know I still have some clean up items i need to perform. Please review.

PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 6dUVe2rtumlnXwYn encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname NANINET
domain-name nationalable.org
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
PIX Version 6.3(4)
interface ethernet0 100full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 6dUVe2rtumlnXwYn encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname NANINET
domain-name nationalable.org
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list inside_outbound_nat0_acl permit ip 10.0.0.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list NAN_splitTunnelAcl permit ip 10.0.0.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list outside_cryptomap_dyn_20 permit ip 192.168.1.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list nonat permit ip 10.0.0.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list outside_cryptomap_dyn_40 permit ip any 192.168.1.0 255.255.255.0
access-list 101 permit ip 10.0.0.0 255.255.255.0 192.168.1.0 255.255.255.0
pager lines 24
logging on
logging buffered errors
logging trap notifications
icmp permit any outside
icmp permit 192.168.1.0 255.255.255.0 echo-reply outside
mtu outside 1500
mtu inside 1500
ip address outside 65.106.63.178 255.255.255.240
ip address inside 10.0.0.3 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool NANR 192.168.1.1-192.168.1.254
pdm location 10.0.0.0 255.255.255.0 inside
pdm location 192.168.1.0 255.255.255.0 outside
pdm location 10.0.0.0 255.255.255.255 inside
pdm location 10.0.0.0 255.255.255.0 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
global (outside) 1 xxx.xxx.xxx.xxx
global (outside) 1 192.168.1.0
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 10.0.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server inside 10.0.0.0 255.255.255.0
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication LOCAL
crypto map outside_map interface outside
isakmp enable outside
isakmp client configuration address-pool local NANR outside
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup NAN address-pool NANR
vpngroup NAN dns-server 10.0.0.5 10.0.2.5
vpngroup NAN default-domain nationalable.org
vpngroup NAN idle-time 1800
vpngroup NAN password ********
telnet 10.0.0.0 255.255.255.0 inside
telnet timeout 5
ssh 10.0.0.0 255.255.255.0 inside
ssh 10.0.0.0 255.255.255.255 inside
ssh timeout 5
console timeout 0
username gturrubi password eoFUWZbB.rakhdLc encrypted privilege 15
terminal width 80

I can not access the internal network. Please advise on the changes I need to make.

Thanks in advance.

 

[Dimpa1]

Never use pdm to configure the pix. It give you more headace

no crypto map outside_map interface outside
no global (outside) 1 192.168.1.0
no crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20

no crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5

no crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40

no crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5

no crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

no crypto map outside_map client authentication LOCAL

no nat (inside) 0 access-list inside_outbound_nat0_acl

access-list nonat permit ip 10.0.0.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list split permit ip 10.0.0.0 255.255.255.0 192.168.1.0 255.255.255.0

nat (inside) 0 access-list nonat

no access-list inside_outbound_nat0_acl permit ip 10.0.0.0 255.255.255.0 192.168.1.0 255.255.255.0

no access-list NAN_splitTunnelAcl permit ip 10.0.0.0 255.255.255.0 192.168.1.0 255.255.255.0

no access-list outside_cryptomap_dyn_20 permit ip 192.168.1.0 255.255.255.0 10.0.0.0 255.255.255.0

no access-list nonat permit ip 10.0.0.0 255.255.255.0 192.168.1.0 255.255.255.0

no access-list outside_cryptomap_dyn_40 permit ip any 192.168.1.0 255.255.255.0

no access-list 101 permit ip 10.0.0.0 255.255.255.0 192.168.1.0 255.255.255.0

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map DYNMAP 10 set transform-set ESP-3DES-MD5
crypto map mymap 90 ipsec-isakmp dynamic DYNMAP

no isakmp client configuration address-pool local NANR outside

no isakmp nat-traversal 20

no ip local pool NANR 192.168.1.1-192.168.1.254
ip local pool vpnpool 192.168.1.1-192.168.1.254

no vpngroup NAN address-pool NANR
vpngroup NAN address-pool vpnpool

crypto map outside_map interface outside

 

[gturrubi]

Haven't delt with this in a couple of weeks. Tested te client from outside and now I can not authenticate to the firewall.