Ping is allowed but no other traffic in remote access VPN

[4nd7]

Hello all,
I have a problem with remote access VPN using a PIX 501 and the Cisco VPN Client 4.8.01.0300. The thing is, I can connect to the PIX and I can ping hosts located on the inside network but that's it. I cannot use for exemple RDC on a Win2003 server.
Below is the configuration:

: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname pix

fixup protocol dns maximum-length 1500
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list nonat permit ip 192.168.3.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list splittunnelACL permit ip 192.168.3.0 255.255.255.0 192.168.1.0 255.255.255.0
pager lines 24
logging on
logging console debugging
mtu outside 1500
mtu inside 1500
ip address outside 1.1.1.1 255.255.255.0
ip address inside 192.168.3.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool remotepool 192.168.1.150-192.168.1.159
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 1.1.1.2 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set mytrans esp-aes esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set mytrans
crypto map statmap 999 ipsec-isakmp dynamic dynmap
crypto map statmap client configuration address respond
crypto map statmap interface outside
isakmp enable outside
isakmp nat-traversal 10
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup vpn address-pool remotepool
vpngroup vpn dns-server 192.168.3.1
vpngroup vpn split-tunnel splittunnelACL
vpngroup vpn idle-time 600
vpngroup vpn password ********
vpngroup idle-time idle-time 1800


Thank you for you time,
Andy.

 

[horus42]

after your establish your connection do "route print" and post your result here,

 

[4nd7]

pix(config)# show route
outside 0.0.0.0 0.0.0.0 86.122.x.x 1 OTHER static
outside 86.122.211.0 255.255.255.0 86.122.x.x 1 CONNECT static
inside 192.168.3.0 255.255.255.0 192.168.3.254 1 CONNECT static

Thanks horus42.

 

[4nd7]

Sorry, this is the route print output:

U:\>route print
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 0f fe ac 5b f0 ...... Intel(R) PRO/100 VE Network Connection - Pack
Scheduler Miniport
0x10004 ...00 05 9a 3c 78 00 ...... Cisco Systems VPN Adapter - Packet Schedu
Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.10.254 192.168.10.3 20
86.122.211.73 255.255.255.255 192.168.10.254 192.168.10.3 1
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
169.254.0.0 255.255.0.0 192.168.10.3 192.168.10.3 30
192.168.1.0 255.255.255.0 192.168.1.150 192.168.1.150 20
192.168.1.150 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.1.255 255.255.255.255 192.168.1.150 192.168.1.150 20
192.168.3.0 255.255.255.0 192.168.1.150 192.168.1.150 1
192.168.10.0 255.255.255.0 192.168.10.3 192.168.10.3 20
192.168.10.1 255.255.255.255 192.168.10.3 192.168.10.3 1
192.168.10.3 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.10.255 255.255.255.255 192.168.10.3 192.168.10.3 20
224.0.0.0 240.0.0.0 192.168.1.150 192.168.1.150 20
224.0.0.0 240.0.0.0 192.168.10.3 192.168.10.3 20
255.255.255.255 255.255.255.255 192.168.1.150 192.168.1.150 1
255.255.255.255 255.255.255.255 192.168.10.3 192.168.10.3 1
Default Gateway: 192.168.10.254
===========================================================================
Persistent Routes:
None

 

[horus42]

Looking at this route print I can see there's a route for the remote segment, I asked you for the route print to make sure that you are actually pinging the remote network.

192.168.1.0 255.255.255.0 192.168.1.150 192.168.1.150
192.168.3.0 255.255.255.0 192.168.1.150 192.168.1.150

I actually don't see any obvious mistakes in your configuration, can you please establish VPN and then initiate RDP or SSH connection to one of your servers and watch the logs, make sure you that you enable the logs.

 

[NetworkGhost]

How are you pinging your internal hosts? By Name?

Free Firewall/Network/Systems Support-

http://firewalls.ath.cx:8080

 

[DanInRaleigh]

4nd7,

..let me see if i got this right.
..you are trying to remote desktop to a windows server but cannot.
..but you can ping that server?

..and of course all of this is through the tunnel..

http://www.daniel-white.com

 

[4nd7]

Hello and thank you for your responses.
Something strange happened after I played with the MTU Options. I can connect, the VPN is established but now, I cannot ping the server. I restored the settings concerning the MTU and the problem still exists.
Today I will make some tests with the PIX and another computer instead the one that I've used until now. I will post the results here.

NetworkGhost:
I've used the actual IP's of the hosts and not the name.

DanInRaleigh:
Yes, I was trying to establish a remote desktop connection with a win2003 server, but I couldn't even if the server responded at ping. What I didn't try is connecting to the PIX by SSH using the internal IP through the VPN.
The problem now, I cannot ping the server.

horus43
The route print looks exactly the same now, as the one that I've posted here. But, no ping.

I think that the problem is the computer from which I'm initiating the connection.


Thank you.

 

[DanInRaleigh]

....i have to say this even though i know you probably checked it..
....the firewall settings on the server, do you have it set to respond to pings and rdp?

...also if it is pinging (proving network connectivity) i would utilize the network monitor snap in to prove the rdp request where/not making it to the server...

http://www.daniel-white.com

 

[4nd7]

Hello,
the problem is with the computer from which I was trying to connect from.
I've used another and everything is fine.
The first one has installed Panda Antivirus and firewall + the ISA server client.
The second one has installed Zone Alarm Security Suite.

Thank you all for your help!

 

[DanInRaleigh]

..hmmm
...ethereal will prove that firewall is blocking service..

http://www.daniel-white.com