Have VPN....But no LAN? 1

[quell]

We are in the middle of transfering our ISP's. I have a PIX 515 that I am able to connect to via VPN with no problems. Internet and everything works great. However I cannot access the network resources through VPN tunnel (Citrix, OWA, Network shares etc..) I have tried this over dial-up, cable and dsl with the same response. I have another pix with same config that works fine. I have 2 ISP's both on same LAN. One pix with vpn works fine the other vpn does not with same config different IOS. I tried debug but I'm not for sure how to interprit the data and didnt see anything I reconiguized.
internet---cable modem--------pix---network
internet---router---linksys---pix----/


PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxx encrypted
passwd xxx encrypted
hostname pix
domain-name xxx.Com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list nonat permit ip 192.168.0.0 255.255.255.0 192.168.123.0 255.255.255.
0
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside 66.x.x.178 255.255.255.248
ip address inside 192.168.0.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnpool 192.168.123.1-192.168.123.10
pdm history enable
arp timeout 14400
global (outside) 1 66.x.x.179 netmask 255.255.255.255
nat (inside) 0 access-list nonat
nat (inside) 1 192.168.0.0 255.255.255.0 0 0
route outside 0.0.0.0 0.0.0.0 66.x.x.177 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set edg esp-des esp-md5-hmac
crypto dynamic-map dyna-brett 10 set transform-set edg
crypto map edgvpn 99 ipsec-isakmp dynamic dyna-brett
crypto map edgvpn client configuration address initiate
crypto map edgvpn client configuration address respond
crypto map edgvpn interface outside
isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup edg address-pool vpnpool
vpngroup edg dns-server 192.168.0.7
vpngroup edg wins-server 192.168.0.7
vpngroup edg default-domain xxx.com
vpngroup edg idle-time 1800
vpngroup edg password ********
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:
: end
[OK]

 

[davarg]

I'm guessing the network that doesn't work is the internet---router---linksys---pix----/. I found in the past that I can't get vpns to work with NATted addresses. So I'm inferring that your router or the linksys is giving out local addresses (or some NATted address).

As a test, to prove that your pix config should work, remove the router and/or linksys, connect the pix directly to the internet. I believe it should work.

 

[quell]

the router linksys is the one that works, guess I should of mentioned that sorry

 

[davarg]

that's interesting ... is the linksys a switch ... forget that! Going back to your problem, do you have any info on your show cryp ipsec sa .... Make sure that the local address, local ident, remote ident, and current peer addresses are correct. Meaning the local address is your pix outside address, local ident are the address going over the vpn tunnel, remote ident are the addresses coming over from remote side, and current peer is your remote vpn peer address. Also, try to make sure that both vpn devices have a mirror image of the show cryp ipsec sa statement. Here's an example of one side of the show cryp ipsec sa statement.

interface: FastEthernet0/0
Crypto map tag: Cinimap, local addr. 123.45.67.89

local ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.1.1.2/255.255.255.255/0/0)
current_peer: 22.32.42.52
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 123.45.67.89, remote crypto endpt.: 22.32.42.52
path mtu 1500, media mtu 1500
current outbound spi: 0


One final question. Is your vpn tunnel going from one Cisco device to another Cisco device, or Cisco device to different vendor device? ... I hope the above helps

 

[quell]

hehe One VPN goes from router to linksys huh to pix on a t1. The hub links to monitaring stations. Anyway, this vpn is already established and working perfect. However we are getting rid of this T1 for a cable modem 2x the speed of the T1 and half the price. We had an extra PIX so I decided to set up both ISP for a smooth transfer from one isp to the other. The only problem is I cannot get the new VPN going on the cable. I did the command you mentioned and it did not show anything at first, then connected with the VPN and it showed everything that you have posted and more. The VPN is from a Cisco client 3.5.2 to the pix 515. Both pix's have the same config with different IP's of course but same config. Been on this for about a week now any more ideas? Thanx for your help.

 

[davarg]

Did you copy and paste your config onto the secondary pix515. Sometimes when I copy and paste, I grab the encrypted passwords for my preshared key, i.e. when i copy from a good pix after issuing a wr term i'll get something like

isakmp key ********* address 1.2.3.4 netmask 255.255.255.255

or in your case

vpngroup edg password ********

did you copy ****** or did you put the correct password letter by letter. It doesn't hurt to retype the password again, if you remember it.

Also, it difficult to assess your situation without seeing debug info (Be careful with debug it could impact your network). Hey did you see in the show cryp ipsec sa command, any numeric values (other than 0) for #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0 or #send errors 0

 

[quell]

Here is my sh cryp ipsec sa info when connected to vpn:
Is there anything special i should look for when debugging?
Also what should i debug ipsec, engine and what?
I cleared my config and started from scratch and still same thing. Built the config without coping. man have a headache from this shit. going to try the pdm next and see if i can find something in that.

interface: outside
Crypto map tag: mymap, local addr. 66.x.x.178

local ident (addr/mask/prot/port): (66.x.x.178/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (192.168.123.1/255.255.255.255/0/0)
current_peer: x.x.x.x
dynamic allocated peer ip: 192.168.123.1

PERMIT, flags={}
#pkts encaps: 0, #pkts engest 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 66.x.x.178, remote crypto endpt.: x.x.x.x
path mtu 1500, ipsec overhead 56, media mtu 1500
current outbound spi: eca6e26a

inbound esp sas:
spi: 0xdcff9f95(3707740053)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4608000/28384)
IV size: 8 bytes
replay detection support: Y


inbound ah sas:


inbound pcp sas:


outbound esp sas:
spi: 0xeca6e26a(3970359914)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 1, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4608000/28357)
IV size: 8 bytes
replay detection support: Y

outbound ah sas:


outbound pcp sas:



local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (192.168.123.1/255.255.255.255/0/0)
current_peer: x.x.x.x
dynamic allocated peer ip: 192.168.123.1

PERMIT, flags={}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 66.x.x.178, remote crypto endpt.: x.x.x.x
path mtu 1500, ipsec overhead 56, media mtu 1500
inbound esp sas:
spi: 0xffd23f67(4291968871)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 6, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4608000/27518)
IV size: 8 bytes
replay detection support: Y


inbound ah sas:


inbound pcp sas:


outbound esp sas:
spi: 0xdafd08b1(3674015921)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 5, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4608000/27509)
IV size: 8 bytes
replay detection support: Y


outbound ah sas:


outbound pcp sas:

current outbound spi: dafd08b1

 

[quell]

After connecting to the vpn I entered debug crypto ipsec and got nothing when trying to access the LAN. so I entered debug crypto isakmp and this popped up when I tried to access the LAN: I have no idea how to read this...looks greek to me :/

crypto_isakmp_process_block: src 66.x.x.181, dest 66.x.x.178
ISAKMP (0): processing NOTIFY payload 36136 protocol 1
spi 0, message ID = 3957315528
ISAMKP (0): received DPD_R_U_THERE from peer 66.x.x.181
ISAKMP (0): sending NOTIFY message 36137 protocol 1
return status is IKMP_NO_ERR_NO_TRANS
crypto_isakmp_process_block: src 66.x.x.181, dest 66.x.x.178
ISAKMP (0): processing NOTIFY payload 36136 protocol 1
spi 0, message ID = 3849212301
ISAMKP (0): received DPD_R_U_THERE from peer 66.x.x.181
ISAKMP (0): sending NOTIFY message 36137 protocol 1
return status is IKMP_NO_ERR_NO_TRANS

 

[azstyx]

Clear all current SAs first:
#clear crypto ipsec sa
#clear crypto isakmp sa

Enable all three debugging entities:
#debug crypto engine
#debug crypto isakmp
#debug crypto ipsec

Now try your connection test again. If possible and i am assuming you are using the vpn unity client, enable logging and set all events on high.
Cut-n-paste the results from the client debug log and the pix debug messages and send to my email azstyx@yahoo.com and i will take a look. They can be rather long so if you do the email thing, I will look for possible issue events and post it back here for everyone to see so we dont consume to much space here.
Keith
azstyx@yahoo.com
#

 

[davarg]

I ran your config from the first post on my pix501(IOS6.2.2) with vpnclient 3.6.3b and it worked fine. Ofcourse I had to make accomodations on the ip addresses to reflect my network scheme. Which leads me to two questions, One, did you run the commands as azstyx mentioned clear cryp isa sa and clear cryp ipsec sa (also clear xlate could help). Should be done after any changes to your crypto map stmts or isakmp stmts are made.

Two, are you running the vpnclient behind another firewall? The small test I ran involved the following
laptop(w/vpnclient)===x-over===Pix501(OutsideInterface)===Pix501(insideInterface)----(workstation)

Not sure how to represent Outside/Inside interface, but I'm assuming you get the point. I'm just wondering if you test your second pix any differently than the first Pix, because of some reason like ... not enough ip address to perform your test or something along that line.

If you need the config I ran, let me know and I'll post or send.

 

[quell]

wow....*shaking my head* hmmm well guess it has to something with my pix then. The only other thing I can think of is that I got the IOS from someone who had a CCO account with cisco. Then called cisco up and asked for a free activation key. I don't now if this would effect it at all. If it does then why is it only effecting LAN access through VPN tunnel. Guess I can try reloading the IOS again and start from bare bones. My test scheme basically looks like this.

(worx) internet---2600----hub----pix----LAN
labtop test pc(public ip)/

(dont work) internet---cablemodem---pix---LAN

Also azstyx: I made the chages you recommended with no luck thanx anyway though I'm going to reload IOS and try again.

 

[davarg]

I have a suggestion, try running your test locally as I did. What I'm getting at is, filter out the cable modem. If your small test works, then start investigating the cable modem. I hope I'm not making you run in circles, but its like you said, everything is the same except you're now using cable modem.

Could it be that the cable modem is filtering packets, NATting (not sure if this applies), etc?

Try running a local test before changing IOS.

 

[quell]

ok ran the test with same setup as yours:
testpc---xovercble---pix-----network still same thing. can connect to VPN but no LAN access. Tried nslookup after connectiong and ping still nothing. The only difference between the PIX's is the IOS so maybe if I can go back the the 6.1(1) ver it will work. Either that or run cable modem to hub and leave t1 also to hub and change IP in pix that is working to new IP. Tha may make a smooth stansition to new ISP. That way monitaring stations can maintain T1 IP scheme and lan will use cable ISP. hehe geers rolling here for a work around. I guess the next step is to try and reload the IOS. I'm out of ideas here.

 

[azstyx]

Resolved:
PIX was globally Nating to old pix outside address.
config chnges:
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0