Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

IPSec vpn works, but cant see inside IP's.

Status
Not open for further replies.

Steven16

IS-IT--Management
Sep 11, 2002
17
US
We got our VPN authentication working via IAS, but we can see any IP address on the inside. Please advise.



PIX(config)# show config
: Saved
:
PIX Version 6.1(4)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security20
nameif ethernet3 intf3 security15
nameif ethernet4 intf4 security20
nameif ethernet5 intf5 security25
enable password xxxxx encrypted
passwd xxxx encrypted
hostname PIX
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
names
access-list outside_2_inside permit tcp any host x.x.x.141 eq smtp
access-list localtovpnclient permit ip x.x.8.0 255.255.255.0 x.x.9.0 255.255.255.0
access-list acl_out permit gre any any
access-list no_nat_inside permit ip x.x.8.0 255.255.255.0 x.x.9.0 255.255.255.0
pager lines 24
logging buffered debugging
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 auto shutdown
interface ethernet3 auto shutdown
interface ethernet4 auto shutdown
interface ethernet5 auto shutdown
mtu outside 1500
mtu inside 1500
mtu intf2 1500
mtu intf3 1500
mtu intf4 1500
mtu intf5 1500
ip address outside x.x.x.200 255.255.252.0
ip address inside x.x.8.2 255.255.252.0
ip address intf2 127.0.0.1 255.255.255.255
ip address intf3 127.0.0.1 255.255.255.255
ip address intf4 127.0.0.1 255.255.255.255
ip address intf5 127.0.0.1 255.255.255.255
ip audit info action alarm
ip audit attack action alarm
ip local pool corpvpnpool x.x.9.170-x.x.9.254
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
failover ip address intf2 0.0.0.0
failover ip address intf3 0.0.0.0
failover ip address intf4 0.0.0.0
failover ip address intf5 0.0.0.0
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list no_nat_inside
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) x.x.x.141 x.x.8.14 netmask 255.255.255.255 0 0
access-group acl_out in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.129 1
route inside x.x.8.0 255.255.255.192 x.x.8.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server adauth protocol tacacs+
aaa-server adauth (inside) host x.x.8.28 cisco123 timeout 10
aaa authentication telnet console adauth
aaa authentication ssh console adauth
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt ipsec pl-compatible
no sysopt route dnat
auth-prompt accept OK - You are authenicated.
auth-prompt reject Authentication failed. Try Again.
crypto ipsec transform-set MYSET2 esp-3des esp-sha-hmac
crypto ipsec transform-set MYSET1 esp-des esp-md5-hmac
crypto dynamic-map corpvpndyn 10 set transform-set MYSET1
crypto dynamic-map corpvpndyn 20 set transform-set MYSET2
crypto map corpvpn 10 ipsec-isakmp dynamic corpvpndyn
crypto map corpvpn client configuration address respond
crypto map corpvpn client authentication adauth
crypto map corpvpn interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp identity address
isakmp policy 10 authentication rsa-sig
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 5000
vpngroup REMOTE address-pool corpvpnpool
vpngroup REMOTE dns-server x.x.8.11
vpngroup REMOTE wins-server x.x.8.11
vpngroup REMOTE split-tunnel localtovpnclient
vpngroup REMOTE idle-time 84400
vpngroup REMOTE password ********
telnet x.x.8.0 255.255.255.192 inside
telnet timeout 5
ssh x.x.x.202 255.255.255.255 outside
ssh x.x.8.63 255.255.255.255 inside
ssh timeout 60
terminal width 80
 
Couple of things to try...

If you are trying to ping, add an access-list permitting icmp.

Check you have file and print sharing enabled on your client machine.

Clear any IP address information configured on the network card on the client machine if you are using the dial up adapter. You may have problems if the client machine is configured with the same IP address on the NIC as the network it is trying to connect to.

Check the log on the PIX to see if anything is being denied. ----

Sunyasee B-)
 
No denied info in the logs on the pix. But I was thinking... maybe the lack of response to network browsing and ip access is possibly because all the servers are using a different defualt gateway than the pix. This is our setup:

Internet--->router--->switch---

Then from switch one port goes to -----Raptor Firewall(primary gateway) and another goes to new PIX VPN. Both raptor and PIX then both go to a switch that feeds the network backbone.

Is it possible that ANY ip browsing or traffic cant get back to the PIX becuase the raptor is the default gateway? How do I fix this?
 
The servers must use the VPN PIX as their gateway for the VPN to work OR alternatively you could add a route on the other router/firwall to tell the traffic how to reach the VPN PIX. What's happening at the moment is that the servers are answering the request but are sending the traffic to the Raptor firewall (their gateway) not to the PIX.

Do you have two connections out of your network, one to the internet and one private link??? ----

Sunyasee B-)
 
Adding a route on raptor makes better sense. Now I just have to figure out what that route command should be.

We have one link out that feeds both raptor and PIX. This is how I have it set now:

internet link---> outside_router ---> Outside_switch

This Outside_switch has one line to Raptor and another to PIX.

Both the inside lines of the PIX and the Raptor then feed the internal backbone switch.

 
if you feel comfortable tunneling GRE multicast i suggest simply to remove all the crypto config from the pix then use server to encrypt and authenticate all vpn connections.
just add the following:

inbound
access-list 100 permit tcp any host 205.x.x.x eq 1723
access-list 100 permit gre any host 205.x.x.x

outbound (if applied)
access-list inside permit gre host 192.168.2.x any
access-list inside permit tcp host 192.168.2.x any eq 1723

1723 serves authentication purposes, gre allows for tunnelling, IAS is not required, all you need is routing and remote access configured on the server and a permission to dial in
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top