VPN can't acces LAN

[jpandhobbes]

I have the VPN working and have split-tunneling enabled but can't access the LAN behind the PIX 501. Below is copy of config.

Building configuration...
: Saved
:
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname EIFOFIRE
domain-name EINFO
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list inside_outbound_nat0_acl permit ip any 192.168.1.128 255.255.255.192
access-list outside_cryptomap_dyn_20 permit ip any 192.168.1.128 255.255.255.192
access-list split permit any
access-list eisgroup_splitTunnelAcl permit ip 192.168.1.0 255.255.255.0 any
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool eispool 192.168.1.155-192.168.1.160
pdm location 10.10.10.0 255.255.255.0 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt connection permit-l2tp
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp enable inside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup eisgroup address-pool eispool
vpngroup eisgroup split-tunnel eisgroup_splitTunnelAcl
vpngroup eisgroup idle-time 1800
vpngroup eisgroup password ********
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn username jodon password *********
vpdn enable outside
vpdn enable inside
dhcpd address 192.168.1.2-192.168.1.129 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:1e1846e62ff8f5bde7972ed08b3a8421
: end
[OK]

 

[themut]

It may be due to NAT devices that don't handle well the ESP protocol, if that is the case then you need to enable Nat Traversal (NAT-T ), add the following command to enable NAT-T:

isakmp nat-traversal <keepalive>

The link below explains this command:

http://www.cisco.com/en/US/products...erence_chapter09186a00801727a9.html#wp1027312

 

[jpandhobbes]

Tried adding that command but still can't ping or remote desktop to lan machine
here is the new config

fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list inside_nat0_outbound permit ip any 192.168.1.128 255.255.255.192
access-list outside_cryptomap_dyn_20 permit ip any 192.168.1.128 255.255.255.192
access-list inside_outbound_nat0_acl permit icmp any any echo-reply
access-list inside permit icmp any any echo-reply
access-list outside permit icmp any any echo-reply
access-list eisgroup_splitTunnelAcl_1 permit ip 192.168.1.0 255.255.255.0 any
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool eispool 192.168.1.155-192.168.1.160
pdm location 10.10.10.0 255.255.255.0 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt connection permit-l2tp
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp enable inside
isakmp nat-traversal 10
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup eisgroup address-pool eispool
vpngroup eisgroup split-tunnel eisgroup_splitTunnelAcl_1
vpngroup eisgroup idle-time 1800
vpngroup eisgroup password ********
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn username jodon password *********
vpdn enable outside
vpdn enable inside
dhcpd address 192.168.1.2-192.168.1.129 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside


Does the fact that the DHCP pool for the inside and VPN are 192.168.1.2-192.168.1.129 (inside) 192.168.1.155-192.168.1.160 (outside) does that matter at all?

 

[themut]

Yes it does! I missed it when I glanced at your configuration. The VPN pool needs to be an unused subnet (or part of an unused subent), it cannot be the same as your inside subnet or any other subnet you are using on your network.

 

[jpandhobbes]

OK well I changed that and updated the access lists and some of the crypto and sysopt. But I still can't ping or remote dektop to anything behind the firewall. I can VPN just fine but nothing else. Here is the updated config

fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list ein permit ip 192.168.1.0 255.255.255.0 any
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool eispool 192.168.2.1-192.168.2.255
pdm location 10.10.10.0 255.255.255.0 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list ein
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt connection permit-l2tp
sysopt ipsec pl-compatible
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set einset esp-des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto dynamic-map dynmap 10 set transform-set einset
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map einmap 10 ipsec-isakmp dynamic dynmap
crypto map einmap interface outside
isakmp enable outside
isakmp enable inside
isakmp identity address
isakmp nat-traversal 30
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup eingroup address-pool eispool
vpngroup eingroup split-tunnel ein
vpngroup eingroup idle-time 1800
vpngroup eingroup password ********
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.129 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80

 

[themut]

access-list ein permit ip 192.168.1.0 255.255.255.0 any

the keyword any should not be on a VPN ACL

The ACL should be:

access-list ein permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

 

[jpandhobbes]

Ok I changed the access-list from any to 192.168.2.0 255.255.255.0 and I still can't access the PC behind the firewall when connected through VPN. Is there a VPNgroup command to allow passthrough from external to internal. Or do I need to route the packets back correctly or something?

 

[LloydSev]

If your internal LAN is a domain, then you need to specify in your vpngroup..

"vpngroup eingroup default-domain yourdomain"

where yourdomain would of course be the name of your domain, and no "".

Not sure if this would help, but worth pointing out.

Computer/Network Technician
CCNA

 

[jpandhobbes]

Tried tje vpngroup eingroup default-domain xxxxxxxx
Ambigious Command please enter more characters

another thing to add to possible problems. The pix firewall is unable to ping the computer connected to it on the inside interface. The PC connected to it on the inside interface can ping it(PIX firewall) but the firewall cannot ping it. There is no software firewall on the computer and no special settings. This is probably most directly connected to why I am unable to connect to the machine behind th efirewall while being VPN into the firewall.

 

[LloydSev]

is the machine XP that you are attempting to ping? Maybe it's firewall is on.. XP SP2 turns on the firewall by default.

when you typed in the command, did you type it in with the xxxx's ??

Computer/Network Technician
CCNA

 

[jpandhobbes]

To avoid confussion:
original setup PC A1 connected ouside interface of PIX
PC B1 inside of pix
A1 VPN ok to pix could not access B1
switched it
B1 ouside, A1 inside
B1 VPN ok to firewall
B1 could access A1

So the problem lies with B1 I will try to figure it out. It is not the windows firewall setting b.c that is turned off. I can;t even Remote Desktop to B1 from A1 when there is not a firewall between them and they are on the same network. I will work on it and post back if I figure it out. Thank you all very much for your help and time.

 

[LloydSev]

Not a problem, make sure to let us know what is causing the problem!

Computer/Network Technician
CCNA

 

[DrGreen26]

One of the things I have learned about the PIX is that if you dont specify a route to the particular network, it can't find it even if it is directly connected.

I have had to add inside routes to point to my various subnets through my inside interface and then could I ping from the pix to an inside device.

ie

route inside 10.15.60.0 255.255.255.0 <inside interface IP address> and the metric which would be 1

Mark C. Greenwood, CNE
m_jgreenwood@yahoo.com

With more than 10 years experience to share.

 

[LloydSev]

Hopefully this changes with the 7.0 software.

Computer/Network Technician
CCNA

 

[sillypacket]

...and yet DrMarkGreen (MIS), I just had an issue resolved where we could NOT see the network on either side of a L2L tunnel Due to the exisitng inside routes...once we removed them then from each PIX 501/515 both sides could ping each other...whassup with that...7.0??

 

[DrGreen26]

I think the PIX is over complicated. I have an interesting problem on my pix 515 as well that just does not make sense and it has to do with NAT'g etc. You would think that cisco would just make it simple but instead they have to tie this access list to that interface, this global nat to this interface, this static nat to these two interfaces and mind you the crypto maps for the vpn tunnels which require that you NOT nat them... calgon take me away!!!!


Mark C. Greenwood, CNE
m_jgreenwood@yahoo.com

With more than 10 years experience to share.

 

[notben]

hello ,
first sorry if my english is not very well but i'm french,
well I have nearly the same problem because I've two pix 501 in tunneling but it's impossible to access the lan throught the tunnel I test it just with a simple icmp ping but it still not working .for detail :
i can ping from inside to pc connect to it
i can't ping from inside to outside like (ping inside @ip_outside)
i can't ping from the pc to outside
i can ping from outside to outside (tunnel)
and same for the second pix
see my config for detail :
pix-1:
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname PIX-1
domain-name pix1
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
name 192.168.2.2 pix-2out
name 192.168.0.251 pix-2in
access-list 101 permit ip any any
access-list inside_access_in permit icmp any any
access-list outside_access_in permit icmp any any
pager lines 24
icmp permit any echo-reply outside
icmp permit any echo outside
icmp permit any outside
icmp permit any inside
icmp permit any echo-reply inside
icmp permit any echo inside
mtu outside 1500
mtu inside 1500
ip address outside 192.168.2.1 255.255.255.0
ip address inside 10.1.48.251 255.0.0.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
nat (inside) 0 access-list 101
router ospf 1
network 10.0.0.0 255.0.0.0 area 0
network 192.168.2.0 255.255.255.0 area 0
log-adj-changes
route outside 192.168.0.0 255.255.255.0 0.0.0.0 255
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 10.1.48.140 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set pix1_outside esp-des esp-md5-hmac
crypto map transam 1 ipsec-isakmp
crypto map transam 1 match address 101
crypto map transam 1 set peer pix-2out
crypto map transam 1 set transform-set pix1_outside
crypto map transam interface outside
isakmp enable outside
isakmp enable inside
isakmp key ******** address pix-2out netmask 255.255.255.255
isakmp identity address
isakmp nat-traversal 20
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 10000
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:a530aa3b00a7485d28e9a8a0a3b9f041
: end


pix-2:
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname PIX-2
domain-name pix2
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol icmp error
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
name 192.168.2.1 pix-1out
name 10.1.48.251 pix-1in
access-list 101 permit ip any any
access-list 102 permit ip any 192.168.0.0 255.255.255.0
access-list inside_access_in permit icmp any any
access-list outside_access_in permit icmp any any
pager lines 24
icmp permit any echo-reply outside
icmp permit any echo outside
icmp permit any outside
icmp permit any inside
icmp permit any echo-reply inside
icmp permit any echo inside
mtu outside 1500
mtu inside 1500
ip address outside 192.168.2.2 255.255.255.0
ip address inside 192.168.0.251 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.0.1 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (inside) 2 192.168.0.0-192.168.0.1 netmask 255.255.255.0
nat (inside) 0 192.168.0.1 255.255.255.255 0 0
router ospf 1
network 192.168.0.0 255.255.255.0 area 0
network 192.168.2.0 255.255.255.0 area 0
log-adj-changes
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.0.1 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set pix2_out esp-des esp-md5-hmac
crypto map transam 1 ipsec-isakmp
crypto map transam 1 match address 101
crypto map transam 1 set peer pix-1out
crypto map transam 1 set transform-set pix2_out
crypto map transam interface outside
isakmp enable outside
isakmp enable inside
isakmp key ******** address pix-1out netmask 255.255.255.255
isakmp identity address
isakmp nat-traversal 20
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 10000
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:56b783772c035332b0cce4898fbfdf47
: end


i'm intrested by any solution for resolve this problem
thanks for any body whos looking for it

 

[DrGreen26]

When you do a point to point tunnel via the pix, you have to have the following:

1. Unless the far end is using similar subnet, you do not want to NAT the internal IPs.

2. Make sure your access lists on both end allow you in and out.

3. Make sure you tie a crypto map access list as well. This has to be identicle on both sides or you wont get through.

If you need more info, I can paste what I call my cheat sheet for creating a point to point tunnel etc.

Mark C. Greenwood, CNE
m_jgreenwood@yahoo.com

With more than 10 years experience to share.

 

[notben]

thanks to answer me

my inside pix-1 and pix-2 doesn't use similare subnet ,them you think i'have to don't use nat for both, ?
I think my ACL are ok because there are @ any any
and for the crypto map access-list what kind of thinks i must have into my config. so I'm beginer in pix 's config and if you can past me your example of config I'm interested

 

[DrGreen26]

I would not nat them if the subnets are different. NAT's is jsut one more level of complication you have to deal with as opposed to being specific as to the nodes you want to come through.

Mark C. Greenwood, CNE
m_jgreenwood@yahoo.com

With more than 10 years experience to share.