Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

PIX Configuration problems

Status
Not open for further replies.
one234

one234

IS-IT--Management
Mar 8, 2003
728
GB
Hello All,

I'm trying to configure a Cisco PIX so users can connect to the PIX using the Cisco VPN client and access the local network (1 subnet )

I think this should be 1 of the easiest configurations possible, but I’m unable to get it to work.

The network looks like this:

Outside ip address: 192.168.4.250 (For test, this is going to be a internet address)
Inside ip address: 192.168.2.1/24
DHCP pool: 192.168.3.100-192.168.3.109

Users are able to connect to the PIX using a pre-shared key and a username and password. They also get an IP address from the DHCP pool.

The problem is that users are unable to connect/ping to servers in the local LAN (192.168.2.x) and from the 2.x network to the 3.x network.

Could anyone tell me how to configure the PIX so users will be able to connect to the servers and apps on the 192.168.2.x network?

Thank you in advance!

Best regards,

Marc D.



Marc D.

If Bill Gates had a nickel for every time Windows crashed... Oh wait, he does...
 
Sort by date Sort by votes
Could you provide your config, I am thinking it has to do with your NAT transversal. I had this same problem about a year ago.
 
Upvote 0 Downvote
See if you have

sysopt connection permit-ipsec

in your config. This allows all IPsec traffic to bypass the outside interface ACL. Also, make sure that your ACL on the inside interface isn't blocking the traffic sent back out.



Brent
Systems Engineer / Consultant
CCNP, CCSP
 
Upvote 0 Downvote
Hi,

Thank you for the reply's. This is my current config:
Code: 
: Saved
: Written by enable_15 at 07:12:11.898 UTC Fri Jan 11 2008
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxx encrypted
passwd xxxx encrypted
hostname netfirstpix
domain-name netfirst.biz
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list tunnel permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0

access-list tunnel permit ip 192.168.3.0 255.255.255.0 192.168.2.0 255.255.255.0

pager lines 24
logging on
logging timestamp
logging buffered informational
mtu outside 1500
mtu inside 1500
ip address outside 192.168.4.250 255.255.255.0
ip address inside 192.168.2.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool NetfirstPool 192.168.3.100-192.168.3.109
pdm history enable
arp timeout 14400
nat (inside) 0 access-list tunnel
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication LOCAL
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup NetfirstGroup address-pool netfirstpool
vpngroup NetfirstGroup idle-time 600
vpngroup NetfirstGroup password xxxx
telnet timeout 5
ssh x.x.x.x 255.255.255.240 outside
ssh timeout 5
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 750
username xxxx password xxxx encrypted privilege 15
terminal width 80



Marc D.

If Bill Gates had a nickel for every time Windows crashed... Oh wait, he does...
 
Upvote 0 Downvote
Try adding an outside route.


Brent
Systems Engineer / Consultant
CCNP, CCSP
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

xwray
  • Locked
  • Question
PIX 501 DHCP Server function
Replies
0
Views
96
xwray
xwray
brownmab53
  • Locked
  • Question
PIX 525 ASA not allowing DHCP addresses to pass through to router
Replies
0
Views
121
brownmab53
brownmab53
quazimotto
  • Locked
  • Question
Correct Upgrade Path for PIX
Replies
7
Views
188
quazimotto
quazimotto
quazimotto
  • Locked
  • Question
Ping thru PIX to subnet inside??!!
Replies
0
Views
75
quazimotto
quazimotto
hall5942
  • Locked
  • Question
Site to Site VPN with Cisco 881 and PIX
Replies
0
Views
74
hall5942
hall5942

Part and Inventory Search

Sponsor

Back
Top