Client makes connection, but that's where is ends

[ideasworking]

Hello,

I have a 506E with two tunnels to concentrators and a third dynamic tunnel to software clients. For some reason the software clients cannot access the network. Could you look at my config and suggest why it's not working?

TIA


ip address inside 172.22.6.XXX 255.255.255.0

access-list 103 permit ip 172.22.6.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list 100 permit ip 172.22.6.0 255.255.255.0 192.168.1.0 255.255.255.0

global (outside) 1 interface

nat (inside) 0 access-list 100

ip local pool wwpVPN 192.168.1.1-192.168.1.254

crypto ipsec transform-set wwpVPNset esp-aes-256 esp-sha-hmac

crypto dynamic-map map2 30 set transform-set wwpVPNset

crypto map aptmap 30 ipsec-isakmp dynamic map2

crypto map aptmap interface outside

isakmp policy 30 authentication pre-share
isakmp policy 30 encryption aes-256
isakmp policy 30 hash sha
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400

vpngroup address-pool idle-time 1800
vpngroup wwpRemote address-pool wwpVPN
vpngroup wwpRemote dns-server 172.22.6.1
vpngroup wwpRemote split-tunnel 103
vpngroup wwpRemote idle-time 1800
vpngroup wwpRemote password ********

 

[NetworkGhost]

Try this:

sysopt connection permit-ipsec

 

[ideasworking]

Sorry,

I forgot to include that I have the "sysopt connection permit-ipsec" in the configuration. Do you have any other suggestions?

TIA
Lou

 

[NetworkGhost]

Are they authenticating ok? Make sure you have the correct isakmp identity set also.

 

[NetworkGhost]

Also change the seq-num priority in the dynamic map

crypto dynamic-map map2 30
crypto dynamic-map mydynamicmap 30 match address 103
crypto dynamic-map map2 30 set transform-set wwpVPNset
crypto map aptmap 50 ipsec-isakmp dynamic map2
crypto map aptmap interface outside

 

[ideasworking]

I do have a line 'isakmp identity address'. is that what you mean by "Make sure you have the correct isakmp identity set also"?

I tried changing the seq-num priority but that didn't resolve anything. Would it make a difference if I posted the complete config?

 

[NetworkGhost]

YEs post the complete config.

 

[ideasworking]

Ok, here's the complete config

PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password T9r65hBsaYsZ8K9y encrypted
passwd T9r65hBsaYsZ8K9y encrypted
hostname wwpPIX
domain-name mywwp.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 101 permit ip host 172.22.6.30 host 192.168.9.10
access-list 101 permit ip host 172.22.6.30 host 192.168.9.11
access-list 101 permit ip host 172.22.6.30 host 10.128.6.15
access-list acl_out permit ip host 192.168.9.10 host 172.22.6.30
access-list acl_out permit ip host 192.168.9.11 host 172.22.6.30
access-list acl_out permit ip host 10.128.6.15 host 172.22.6.30
access-list acl_out permit icmp any any
access-list acl_in permit icmp any any
access-list acl_in permit tcp any any
access-list acl_in permit udp any any
access-list 102 permit ip 172.22.6.0 255.255.255.0 172.22.1.0 255.255.255.0
access-list 102 permit ip 172.22.6.0 255.255.255.0 172.22.4.0 255.255.255.0
access-list 102 permit ip 172.22.6.0 255.255.255.0 172.22.5.0 255.255.255.0
access-list 102 permit ip 172.22.6.0 255.255.255.0 172.22.7.0 255.255.255.0
access-list 102 permit ip 172.22.6.0 255.255.255.0 172.22.9.0 255.255.255.0
access-list 102 permit ip 172.22.6.0 255.255.255.0 172.22.12.0 255.255.255.0
access-list 102 permit ip 172.22.6.0 255.255.255.0 172.22.16.0 255.255.255.0
access-list 102 permit ip 172.22.6.0 255.255.255.0 172.20.40.0 255.255.255.0
access-list 102 permit ip 172.22.6.0 255.255.255.0 172.20.201.0 255.255.255.0
access-list 102 permit ip 172.22.6.0 255.255.255.0 172.22.28.0 255.255.255.0
access-list 103 permit ip 172.22.6.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 100 permit ip host 172.22.6.30 host 192.168.9.10
access-list 100 permit ip host 172.22.6.30 host 192.168.9.11
access-list 100 permit ip host 172.22.6.30 host 10.128.6.15
access-list 100 permit ip 172.22.6.0 255.255.255.0 172.22.1.0 255.255.255.0
access-list 100 permit ip 172.22.6.0 255.255.255.0 172.22.4.0 255.255.255.0
access-list 100 permit ip 172.22.6.0 255.255.255.0 172.22.5.0 255.255.255.0
access-list 100 permit ip 172.22.6.0 255.255.255.0 172.22.7.0 255.255.255.0
access-list 100 permit ip 172.22.6.0 255.255.255.0 172.22.9.0 255.255.255.0
access-list 100 permit ip 172.22.6.0 255.255.255.0 172.22.12.0 255.255.255.0
access-list 100 permit ip 172.22.6.0 255.255.255.0 172.22.16.0 255.255.255.0
access-list 100 permit ip 172.22.6.0 255.255.255.0 172.22.28.0 255.255.255.0
access-list 100 permit ip 172.22.6.0 255.255.255.0 172.20.40.0 255.255.255.0
access-list 100 permit ip 172.22.6.0 255.255.255.0 172.20.201.0 255.255.255.0
access-list 100 permit ip 172.22.6.0 255.255.255.0 192.168.1.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 207.54.XXX.XXX 255.255.255.0
ip address inside 172.22.6.XXX 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool wwpVPN 192.168.1.1-192.168.1.254
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 100
nat (inside) 1 172.22.6.0 255.255.255.0 0 0
access-group acl_out in interface outside
access-group acl_in in interface inside
route outside 0.0.0.0 0.0.0.0 207.54.105.118 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 172.22.6.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set aptset esp-3des esp-md5-hmac
crypto ipsec transform-set WinVPNset esp-aes-256 esp-sha-hmac
crypto dynamic-map map2 30 set transform-set WinVPNset
crypto map aptmap 10 ipsec-isakmp
crypto map aptmap 10 match address 101
crypto map aptmap 10 set peer 63.87.XXX.XXX
crypto map aptmap 10 set transform-set aptset
crypto map aptmap 20 ipsec-isakmp
crypto map aptmap 20 match address 102
crypto map aptmap 20 set peer 38.112.XXX.XXX
crypto map aptmap 20 set transform-set aptset
crypto map aptmap 50 ipsec-isakmp dynamic map2
crypto map aptmap interface outside
isakmp enable outside
isakmp key ******** address 63.87.XXX.XXX netmask 255.255.255.255
isakmp key ******** address 38.112.XXX.XXX netmask 255.255.255.255
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption aes-256
isakmp policy 30 hash sha
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
vpngroup address-pool idle-time 1800
vpngroup wwpRemote address-pool wwpVPN
vpngroup wwpRemote dns-server 172.22.6.1
vpngroup wwpRemote split-tunnel 103
vpngroup wwpRemote idle-time 1800
vpngroup wwpRemote password ********
telnet 172.22.6.0 255.255.255.0 inside
telnet timeout 30
ssh timeout 10
console timeout 0
terminal width 80
Cryptochecksum:44f0edea19f5a48aa7ed9443a8626761
: end
[OK]

 

[NetworkGhost]

You are forgetting your match address. No traffic will flow back if the pix doesnt know ehat is for the VPN:

crypto dynamic-map mydynamicmap 30 match address 103



Try that.

 

[ideasworking]

When I add that the client fails to connect. Here's the tech note I've used to configure the PIX

http://www.cisco.com/en/US/products...s_configuration_example09186a00801e71c0.shtml

Do you see any mistakes from the example?

 

[NetworkGhost]

I dont see any mistakes but obviously something isnt right or is conflicting. What happens when you connect? Do you get an IP address assigned from the Pix?

If you do then setup a continuous ping:

Ping 10.x.x.x -t

Ont this Pix do:

ICMP Trace ont the pix:

debug icmp trace

Post the output Here. Ill configure my Pix and see what I get. Keep in mind the address pool you are using also:

192.168.1

Make sure you lan space isnt conflicting.

 

[ideasworking]

The PIX appears to be seeing the ping request. On the debug output I see...

ICMP echo-request from outside:192.168.1.1 to 172.22.6.1 ID=1024 seq=<incrementing number>

I'm guessing the PIX doens't know where to direct the reply. Does that make sense? If I ping the same 172.22.6.1 inside the network the device responds so I don't think it's a problem with the device I'm attempting to ping.

 

[NetworkGhost]

Try the reverse. Ping from inside the network to the VPN device. What I am wondering is what is happening to the ping once it hits your internal network. See if you get a reply then. Debug it on the pix.

 

[ideasworking]

Ok,

Here's what I see...

ICMP echo-request:from inside:172.22.6.30 to 192.168.1.1

ICMP echo-request: translating inside:172.22.6.30/512 to outside:207.54.105.114/0

I'm guessing we shouldn't see a translation, right?

 

[ideasworking]

Oops I made a mistake with the address, what I see now is...

ICMP echo-request:from inside:172.22.6.30 to 192.168.1.1

ICMP unreachable (code2) 209.MY.PUB.ADD > 207.PIX.OUT.ADD