We are bussy to configuring a PIX 520 for making VPN connections so we can reach servers with an internal IP from a external location. On this moment we can connect the PIX with the Cisco VPN Cliënt without any problem but we can't reach the servers with the internal IP's. On the console we get the following errors:
Do anybody know how to solve this error? This is my config:
Any help on this subject is much appreciated. Thanks in advance!!
Code:
106011: Deny inbound (No xlate) icmp src outside:10.15.10.10 dst outside:10.15.10.225 (type 0, code 0)
106011: Deny inbound (No xlate) udp src outside:10.15.10.225/138 dst outside:10.255.255.255/138
Do anybody know how to solve this error? This is my config:
Code:
PIX Version 6.3(5)145
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
interface ethernet3 auto shutdown
interface ethernet4 auto shutdown
interface ethernet5 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
nameif ethernet3 intf3 security6
nameif ethernet4 intf4 security8
nameif ethernet5 intf5 security10
enable password ****** encrypted
passwd ****** encrypted
hostname pix
domain-name ******.net
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol http 2222
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol smtp 2525
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
object-group network public
network-object 0.0.0.0 0.0.0.0
object-group service winserv tcp
description Default open ports Windows Servers
port-object range https https
port-object eq www
port-object eq ftp-data
port-object range 3389 3389
port-object eq ftp
port-object range 5000 5004
object-group service daserv tcp
description Open ports for servers with DirectAdmin
port-object range 5000 5004
port-object eq 2222
port-object eq smtp
port-object eq domain
port-object eq pop3
port-object eq ftp-data
port-object eq 2525
port-object eq www
port-object eq ftp
port-object eq 2235
access-list myacl_in permit icmp any any
access-list VPNGate_splitTunnelAcl permit ip interface inside any
access-list VPNGate_splitTunnelAcl permit ip 10.15.10.0 255.255.255.0 any
access-list VPNGate_splitTunnelAcl permit ip any any
access-list inside_outbound_nat0_acl permit ip interface inside 10.15.10.224 255.255.255.224
access-list outside_cryptomap_dyn_20 permit ip any 10.15.10.224 255.255.255.224
access-list nat0 permit ip 10.15.10.0 255.255.255.0 10.15.10.0 255.255.255.0
pager lines 24
logging console warnings
logging monitor warnings
logging buffered warnings
mtu outside 1500
mtu inside 1500
mtu intf2 1500
mtu intf3 1500
mtu intf4 1500
mtu intf5 1500
ip address outside xx.xx.xx.155 255.255.255.224
ip address inside 10.15.10.1 255.255.255.0
no ip address intf2
no ip address intf3
no ip address intf4
no ip address intf5
ip audit info action alarm
ip audit attack action alarm
ip local pool VPNPool 10.15.10.225-10.15.10.254
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address intf2
no failover ip address intf3
no failover ip address intf4
no failover ip address intf5
pdm location xx.xx.xx.xx 255.255.255.255 outside
pdm history enable
arp timeout 14400
nat (inside) 0 access-list nat0
nat (inside) 1 10.15.10.0 255.255.255.0 0 0
nat (inside) 0 0.0.0.0 0.0.0.0 0 0
access-group myacl_in in interface outside
route outside 0.0.0.0 0.0.0.0 xx.xx.xx.129 1
timeout xlate 0:30:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 outside
http 10.15.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication LOCAL
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup VPNGate address-pool VPNPool
vpngroup VPNGate dns-server xx.xx.xx.xx
vpngroup VPNGate default-domain proxxio.net
vpngroup VPNGate split-tunnel VPNGate_splitTunnelAcl
vpngroup VPNGate idle-time 1800
vpngroup VPNGate password ********
telnet timeout 5
ssh xx.xx.xx.xx 255.255.255.255 outside
ssh timeout 5
console timeout 0
username Admin password ****** encrypted privilege 2
username VPNuser01 password ****** encrypted privilege 3
terminal width 80
Any help on this subject is much appreciated. Thanks in advance!!