Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Problem with VPN on PIX 506 1

Status
Not open for further replies.
mlaman

mlaman

Technical User
Sep 23, 2009
3
US
I am unable to get traffic routing to my inside network from my vpn pool on new setup of remote access VPN authentication works I get an ip address in the pool but can not pass traffic. I am much more familiar with ASA and use the ASDM so CLI or PDM I am rusty on. I am attaching config removing some items for security if someone can let me know.

access-list NO_NAT permit ip any VPN_pool 255.255.255.0
access-list nb1_splitTunnelAcl permit ip 192.168.1.0 255.255.255.0 any
access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 VPN_pool 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.128
access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 192.168.1.192 255.255.255.192
access-list inside_access_in permit ip 192.168.1.0 255.255.255.0 VPN_pool 255.255.255.0
access-list inside_access_in permit ip any any
access-list nb3_splitTunnelAcl permit ip 192.168.1.0 255.255.255.0 any
access-list outside_cryptomap_dyn_20 permit ip any VPN_pool 255.255.255.0
access-list outside_cryptomap_dyn_40 permit ip any VPN_pool 255.255.255.0
access-list outside_cryptomap_dyn_60 permit ip any 192.168.1.192 255.255.255.192
pager lines 24
ip address inside 192.168.1.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnpool 192.168.2.100-192.168.2.200
ip local pool VPNinside 192.168.1.220-192.168.1.227
arp timeout 14400
global (outside) 1 interface
global (outside) 2 X.X.X.X netmask 255.255.255.240
global (outside) 3 X.X.X.X netmask 255.255.255.240
global (inside) 4 192.168.4.10-192.168.4.100 netmask 255.255.255.0
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 2 192.168.1.128 255.255.255.192 0 0
nat (inside) 3 192.168.1.192 255.255.255.192 0 0
nat (inside) 1 192.168.1.0 255.255.255.128 0 0
access-group inbound in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 X.X.X.X
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 60 match address outside_cryptomap_dyn_60
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication LOCAL
crypto map outside_map interface outside
isakmp enable outside
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup nb1 address-pool VPNinside
vpngroup nb1 split-tunnel nb1_splitTunnelAcl
vpngroup nb1 idle-time 1800
vpngroup nb1 password ********
vpngroup nb2 address-pool vpnpool
vpngroup nb2 idle-time 1800
vpngroup nb2 password ********
vpngroup nb3 address-pool VPNinside
vpngroup nb3 split-tunnel nb3_splitTunnelAcl
vpngroup nb3 idle-time 1800
vpngroup nb3 password ********
 
Sort by date Sort by votes
Here is a basic template

access-list no_nat permit ip [INTERNAL_IP_Scheme] [VPNPOOL_IP_Scheme]

nat (inside) 0 access-list no_nat
sysopt connection permit-ipsec
ip local pool VPNPool 192.168.253.1-192.168.253.254

VPN-Client-MODE
crypto ipsec transform-set 3DES esp-3des esp-sha-hmac
crypto dynamic-map [DYNAMIC_MAPNAME] 10 set transform-set 3DES
crypto map [MAPNAME] 40 ipsec-isakmp dynamic [DYNAMIC_MAPNAME]
crypto map [MAPNAME] client authentication LOCAL
crypto map [MAPNAME] interface outside

isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp nat-traversal 20
isakmp identity address
isakmp enable outside

vpngroup [VPN_GROUP_NAME] address-pool VPNPool
vpngroup [VPN_GROUP_NAME] dns-server [INTERNAL_DNS_IP]
vpngroup [VPN_GROUP_NAME] wins-server [INTERNAL_WINS_IP]
vpngroup [VPN_GROUP_NAME] default-domain [DOMAIN_NAME.COM]
vpngroup [VPN_GROUP_NAME] idle-time 1800
vpngroup [VPN_GROUP_NAME] password [GROUP_PASSWORD]

username [USERNAME] password [PASSWORD] privilege 1

Start with the above and then make it more specific as you need.
You should not make the vpn pool anything that is on one of your networks nor anything that could be the network that the client attaches to to vpn into yours (192.168.1.0, 192.168.2.0, 192.168.10.0, 192.168.100.0 - most any consumer router defaults)

go through and double/triple check you are putting in the correct subnets and network statements. Yours is a little convolute so it gets confusing quickly.

Let me know how it goes..

Brent
Systems Engineer / Consultant
CCNP, CCSP
 
Upvote 0 Downvote
I added the configuration you suggested minus the DNS and WINS since they only use IP I thought no need to add it. I added this via the CLI, but it does the same thing it connects but no traffic passes to the VPN user.

access-list no_nat permit ip 192.168.1.0 255.255.255.0 192.168.253.0 255.255.255.0
nat (inside) 0 access-list no_nat
sysopt connection permit-ipsec
ip local pool VPNPool 192.168.253.1-192.168.253.254
VPN-Client-MODE
crypto ipsec transform-set 3DES esp-3des esp-sha-hmac
crypto dynamic-map NB3 10 set transform-set 3DES
crypto map NB 40 ipsec-isakmp dynamic NB3
crypto map NB client authentication LOCAL
crypto map NB interface outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp nat-traversal 20
isakmp identity address
isakmp enable outside
vpngroup NB address-pool VPNPool
vpngroup NB idle-time 1800
vpngroup NB password Nb1
 
Upvote 0 Downvote
I found the issue with the second try. The old vpnpool was not removed completely after removing an adding this again it worked. Thanks for your help.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
670
Sameer258
Sameer258
intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
583
intel233
intel233
ISDPCMAN
  • Locked
  • Question
RDP fails over VPN
Replies
1
Views
205
gkittelson
gkittelson
Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
719
Shmid
Shmid
WhosYourDiffie
  • Locked
  • Question
Cisco ASA 5506 VPN for Avaya Phones
Replies
0
Views
159
WhosYourDiffie
WhosYourDiffie

Part and Inventory Search

Sponsor

Back
Top