Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Only one ping throug from vpn client to pix501

Status
Not open for further replies.
ebusdk

ebusdk

IS-IT--Management
Jan 20, 2005
18
0
0
DK
1 - i only get one ping though, when i try to ping the server on the lan, from my remote vpn client

2 - what do i need to change, if i want the remote VPN users to get a 10.21.0.x network instad of the 192.68.135.x


this is the reply

Pinging 192.68.135.14 with 32 bytes of data:

Reply from 192.68.135.14: bytes=32 time=37ms TTL=128
Request timed out.
Request timed out.

This is my config:



interface ethernet0 10baset
interface ethernet1 100full

nameif ethernet0 outside security0
nameif ethernet1 inside security100

enable password xxxx
passwd xxxx

hostname pix501
domain-name xxxx.local

access-list inet-incoming permit tcp any host xx.xx.xx.xx eq www
access-list inet-incoming permit tcp any host xx.xx.xx.xx eq ftp-data
access-list inet-incoming permit tcp any host xx.xx.xx.xx eq ftp
access-list inet-incoming permit tcp any host xx.xx.xx.xx eq https
access-list inet-incoming permit tcp any host 2xx.xx.xx.xx eq smtp
access-list inet-incoming permit tcp any host xx.xx.xx.xx eq 3389
access-list inet-incoming permit icmp any any

ip address outside xx.xx.xx.xx 255.255.255.248
ip address inside 192.68.135.2 255.255.255.0
ip local pool ippool 192.68.135.100-192.68.135.150
route outside 0.0.0.0 0.0.0.0 xx.xx.xx.xx 1

aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa-server mobileauth protocol radius
aaa-server mobileauth max-failed-attempts 3
aaa-server mobileauth deadtime 10
aaa-server mobileauth (inside) host 192.68.135.12 xxxxxxxxxx timeout 5

global (outside) 1 interface
nat (inside) 1 192.68.135.0 255.255.255.0 0 0

static (inside,outside) tcp xx.xx.xx.xx 255.255.255.255 0 0
static (inside,outside) tcp xx.xx.xx.xx ftp-data 192.68.135.130 ftp-data netmask 255.255.255.255 0 0
static (inside,outside) tcp xx.xx.xx.xx
ftp 192.68.135.130 ftp netmask 255.255.255.255 0 0
static (inside,outside) tcp 21xx.xx.xx.xx https 192.68.135.130 https netmask 255.255.255.255 0 0
static (inside,outside) tcp xx.xx.xx.xx smtp 192.68.135.130 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp xx.xx.xx.xx 3389 192.68.135.12 3389 netmask 255.255.255.255 0 0
access-group inet-incoming in interface outside
conduit permit icmp any any

snmp-server location Denmark
snmp-server contact IT-grp teknik@xxxxxx.dk
snmp-server community public
no snmp-server enable traps
floodguard enable

sysopt connection permit-ipsec
sysopt ipsec pl-compatible
crypto ipsec transform-set strong esp-3des esp-sha-hmac
crypto dynamic-map dynmap 50 set transform-set strong
crypto map asha 50 ipsec-isakmp dynamic dynmap
crypto map asha client configuration address initiate
crypto map asha client configuration address respond
crypto map asha client authentication mobileauth
crypto map asha interface outside
isakmp enable outside
isakmp nat-traversal
isakmp policy 9 authentication pre-share
isakmp policy 9 encryption 3des
isakmp policy 9 hash sha
isakmp policy 9 group 1
isakmp policy 9 lifetime 86400
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup xxx-vpn address-pool ippool
vpngroup xxx-vpn dns-server 192.68.135.13
vpngroup xxx-vpn wins-server 192.68.135.13
vpngroup xxx-vpn default-domain asha.local
vpngroup xxx-vpn split-tunnel vpnclient
vpngroup xxx-vpn idle-time 1800
vpngroup xxx-vpn password xxxxxx
vpngroup <usernamehere> idle-time 1800
telnet 192.68.135.0 255.255.255.0 inside
ssh 80.197.160.22 255.255.255.255 outside
ssh 192.68.135.0 255.255.255.0 inside
ssh timeout 30
management-access inside
management-access outside


wr mem
no ca save all
ca zeroize rsa
ca generate rsa key 1024
ca save all
wr mem
 
Sort by date Sort by votes
The VPN pool has to be part of an unused subnet in your network, it cannot be in the same subnet as your inside subnet. All you need to do is configure a new VPN pool and assign it to the VPN clients with the vpngroup... command.
 
Upvote 0 Downvote
so that would work if i wrote this:
access-list 101 permit ip 192.68.135.0 255.255.255.0 10.21.1.0
255.255.255.0
ip local pool ippool 10.21.1.1-10.21.1.254
 
Upvote 0 Downvote
From your config:

vpngroup xxx-vpn split-tunnel vpnclient

So your ACL should be:

access-list vpclient permit ip 192.68.135.0 255.255.255.0 10.21.1.0 255.255.255.0
 
Upvote 0 Downvote
so it would be:
access-list 101 permit ip 192.68.135.0 255.255.255.0 10.21.1.0 255.255.255.0
ip local pool ippool 10.21.1.1-10.21.1.254
vpngroup xxx-vpn split-tunnel vpnclient
access-list vpclient permit ip 192.68.135.0 255.255.255.0 10.21.1.0 255.255.255.0

?

 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
235
Sameer258
Sameer258
Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
250
Johnkite
Johnkite
intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
241
intel233
intel233
Tommy_T
  • Locked
  • Question
Sonic wall - Have an issue remotely connectioning VNC and SMB (and AFP) to one of the 2 ISP circuits
Replies
1
Views
201
nnaarrnn
nnaarrnn
ISDPCMAN
  • Locked
  • Question
RDP fails over VPN
Replies
1
Views
106
gkittelson
gkittelson

Part and Inventory Search

Sponsor

Back
Top