1 - i only get one ping though, when i try to ping the server on the lan, from my remote vpn client
2 - what do i need to change, if i want the remote VPN users to get a 10.21.0.x network instad of the 192.68.135.x
this is the reply
Pinging 192.68.135.14 with 32 bytes of data:
Reply from 192.68.135.14: bytes=32 time=37ms TTL=128
Request timed out.
Request timed out.
This is my config:
interface ethernet0 10baset
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxx
passwd xxxx
hostname pix501
domain-name xxxx.local
access-list inet-incoming permit tcp any host xx.xx.xx.xx eq www
access-list inet-incoming permit tcp any host xx.xx.xx.xx eq ftp-data
access-list inet-incoming permit tcp any host xx.xx.xx.xx eq ftp
access-list inet-incoming permit tcp any host xx.xx.xx.xx eq https
access-list inet-incoming permit tcp any host 2xx.xx.xx.xx eq smtp
access-list inet-incoming permit tcp any host xx.xx.xx.xx eq 3389
access-list inet-incoming permit icmp any any
ip address outside xx.xx.xx.xx 255.255.255.248
ip address inside 192.68.135.2 255.255.255.0
ip local pool ippool 192.68.135.100-192.68.135.150
route outside 0.0.0.0 0.0.0.0 xx.xx.xx.xx 1
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa-server mobileauth protocol radius
aaa-server mobileauth max-failed-attempts 3
aaa-server mobileauth deadtime 10
aaa-server mobileauth (inside) host 192.68.135.12 xxxxxxxxxx timeout 5
global (outside) 1 interface
nat (inside) 1 192.68.135.0 255.255.255.0 0 0
static (inside,outside) tcp xx.xx.xx.xx 255.255.255.255 0 0
static (inside,outside) tcp xx.xx.xx.xx ftp-data 192.68.135.130 ftp-data netmask 255.255.255.255 0 0
static (inside,outside) tcp xx.xx.xx.xx
ftp 192.68.135.130 ftp netmask 255.255.255.255 0 0
static (inside,outside) tcp 21xx.xx.xx.xx https 192.68.135.130 https netmask 255.255.255.255 0 0
static (inside,outside) tcp xx.xx.xx.xx smtp 192.68.135.130 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp xx.xx.xx.xx 3389 192.68.135.12 3389 netmask 255.255.255.255 0 0
access-group inet-incoming in interface outside
conduit permit icmp any any
snmp-server location Denmark
snmp-server contact IT-grp teknik@xxxxxx.dk
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt ipsec pl-compatible
crypto ipsec transform-set strong esp-3des esp-sha-hmac
crypto dynamic-map dynmap 50 set transform-set strong
crypto map asha 50 ipsec-isakmp dynamic dynmap
crypto map asha client configuration address initiate
crypto map asha client configuration address respond
crypto map asha client authentication mobileauth
crypto map asha interface outside
isakmp enable outside
isakmp nat-traversal
isakmp policy 9 authentication pre-share
isakmp policy 9 encryption 3des
isakmp policy 9 hash sha
isakmp policy 9 group 1
isakmp policy 9 lifetime 86400
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup xxx-vpn address-pool ippool
vpngroup xxx-vpn dns-server 192.68.135.13
vpngroup xxx-vpn wins-server 192.68.135.13
vpngroup xxx-vpn default-domain asha.local
vpngroup xxx-vpn split-tunnel vpnclient
vpngroup xxx-vpn idle-time 1800
vpngroup xxx-vpn password xxxxxx
vpngroup <usernamehere> idle-time 1800
telnet 192.68.135.0 255.255.255.0 inside
ssh 80.197.160.22 255.255.255.255 outside
ssh 192.68.135.0 255.255.255.0 inside
ssh timeout 30
management-access inside
management-access outside
wr mem
no ca save all
ca zeroize rsa
ca generate rsa key 1024
ca save all
wr mem
2 - what do i need to change, if i want the remote VPN users to get a 10.21.0.x network instad of the 192.68.135.x
this is the reply
Pinging 192.68.135.14 with 32 bytes of data:
Reply from 192.68.135.14: bytes=32 time=37ms TTL=128
Request timed out.
Request timed out.
This is my config:
interface ethernet0 10baset
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxx
passwd xxxx
hostname pix501
domain-name xxxx.local
access-list inet-incoming permit tcp any host xx.xx.xx.xx eq www
access-list inet-incoming permit tcp any host xx.xx.xx.xx eq ftp-data
access-list inet-incoming permit tcp any host xx.xx.xx.xx eq ftp
access-list inet-incoming permit tcp any host xx.xx.xx.xx eq https
access-list inet-incoming permit tcp any host 2xx.xx.xx.xx eq smtp
access-list inet-incoming permit tcp any host xx.xx.xx.xx eq 3389
access-list inet-incoming permit icmp any any
ip address outside xx.xx.xx.xx 255.255.255.248
ip address inside 192.68.135.2 255.255.255.0
ip local pool ippool 192.68.135.100-192.68.135.150
route outside 0.0.0.0 0.0.0.0 xx.xx.xx.xx 1
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa-server mobileauth protocol radius
aaa-server mobileauth max-failed-attempts 3
aaa-server mobileauth deadtime 10
aaa-server mobileauth (inside) host 192.68.135.12 xxxxxxxxxx timeout 5
global (outside) 1 interface
nat (inside) 1 192.68.135.0 255.255.255.0 0 0
static (inside,outside) tcp xx.xx.xx.xx 255.255.255.255 0 0
static (inside,outside) tcp xx.xx.xx.xx ftp-data 192.68.135.130 ftp-data netmask 255.255.255.255 0 0
static (inside,outside) tcp xx.xx.xx.xx
ftp 192.68.135.130 ftp netmask 255.255.255.255 0 0
static (inside,outside) tcp 21xx.xx.xx.xx https 192.68.135.130 https netmask 255.255.255.255 0 0
static (inside,outside) tcp xx.xx.xx.xx smtp 192.68.135.130 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp xx.xx.xx.xx 3389 192.68.135.12 3389 netmask 255.255.255.255 0 0
access-group inet-incoming in interface outside
conduit permit icmp any any
snmp-server location Denmark
snmp-server contact IT-grp teknik@xxxxxx.dk
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt ipsec pl-compatible
crypto ipsec transform-set strong esp-3des esp-sha-hmac
crypto dynamic-map dynmap 50 set transform-set strong
crypto map asha 50 ipsec-isakmp dynamic dynmap
crypto map asha client configuration address initiate
crypto map asha client configuration address respond
crypto map asha client authentication mobileauth
crypto map asha interface outside
isakmp enable outside
isakmp nat-traversal
isakmp policy 9 authentication pre-share
isakmp policy 9 encryption 3des
isakmp policy 9 hash sha
isakmp policy 9 group 1
isakmp policy 9 lifetime 86400
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup xxx-vpn address-pool ippool
vpngroup xxx-vpn dns-server 192.68.135.13
vpngroup xxx-vpn wins-server 192.68.135.13
vpngroup xxx-vpn default-domain asha.local
vpngroup xxx-vpn split-tunnel vpnclient
vpngroup xxx-vpn idle-time 1800
vpngroup xxx-vpn password xxxxxx
vpngroup <usernamehere> idle-time 1800
telnet 192.68.135.0 255.255.255.0 inside
ssh 80.197.160.22 255.255.255.255 outside
ssh 192.68.135.0 255.255.255.0 inside
ssh timeout 30
management-access inside
management-access outside
wr mem
no ca save all
ca zeroize rsa
ca generate rsa key 1024
ca save all
wr mem