Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

VPN Client 3.6.2A to PIX - cannot ping inside interface or access PDM

Status
Not open for further replies.
stakano

stakano

MIS
May 19, 2002
14
CA
I have built my tunnel and I can even ping a host on the inside.

36: Outbound ICMP echo reply (len 32 id 2 seq 7425) 192.168.3.100 > 192.168.3.100 > 192.168.12.1
37: Inbound ICMP echo request (len 32 id 2 seq 7681) 192.168.12.1 > 192.168.3.100 > 192.168.3.100
38: Outbound ICMP echo reply (len 32 id 2 seq 7681) 192.168.3.100 > 192.168.3.100 > 192.168.12.1
39: Inbound ICMP echo request (len 32 id 2 seq 7937) 192.168.12.1 > 192.168.3.100 > 192.168.3.100
40: Outbound ICMP echo reply (len 32 id 2 seq 7937) 192.168.3.100 > 192.168.3.100 > 192.168.12.1
41: Inbound ICMP echo request (len 32 id 2 seq 8193) 192.168.12.1 > 192.168.3.100 > 192.168.3.100
42: Outbound ICMP echo reply (len 32 id 2 seq 8193) 192.168.3.100 > 192.168.3.100 > 192.168.12.1

Problem, is that I cannot access the PDM or even ping the inside interface.

Here is my current config.

Any ideas? Thanks!

---------------------------------------
PIX Version 6.2(1)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any time-exceeded
access-list 100 permit icmp any any
access-list 100 permit tcp any host x.x.x.x eq ftp
access-list localtovpnclient permit ip 192.168.3.0 255.255.255.0 192.168.12.0 255.255.255.0
access-list nonatinside permit ip 192.168.3.0 255.255.255.0 192.168.12.0 255.255.255.0
pager lines 24
logging on
logging trap debugging
logging history debugging
interface ethernet0 10baset
interface ethernet1 10full
icmp permit any outside
mtu outside 1500
mtu inside 1500
ip address outside x.x.x.x 255.255.255.224
ip address inside 192.168.3.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnclientpool 192.168.12.1-192.168.12.99
pdm history enable
arp timeout 14400
global (outside) 1 x.x.x.x
nat (inside) 0 access-list nonatinside
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) x.x.x.x 192.168.3.100 netmask 255.255.255.255 0 0
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.3.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
no floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
service resetinbound
crypto ipsec transform-set mytransform esp-des esp-md5-hmac
crypto dynamic-map mydynmap 10 set transform-set mytransform
crypto map mymap 100 ipsec-isakmp dynamic mydynmap
crypto map mymap client configuration address initiate
crypto map mymap client configuration address respond
crypto map mymap interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup vpn3000 address-pool vpnclientpool
vpngroup vpn3000 dns-server 142.77.2.36
vpngroup vpn3000 split-tunnel localtovpnclient
vpngroup vpn3000 idle-time 1800
vpngroup vpn3000 password ********
telnet 192.168.3.100 255.255.255.255 inside
telnet timeout 5
terminal width 80
 
Sort by date Sort by votes
HI.

You will not be able to ping the inside interface of the pix from the VPN tunnel, because by design the pix own interfaces will not respond to traffic coming from other interfaces.

You can access PDM using the outside interface of the pix.
This can be done in 2 ways:

* If you are coming from a known static ip address or range, you can simply allow PDM access from that address.
For this you don't need the VPN tunnel.

* You can access PDM from the VPN tunnel, in similar way to accessing the pix using TELNET.
You will need something like this:

http 192.168.12.0 255.255.255.0 outside
access-list localtovpnclient permit ip host x.x.x.x 192.168.12.0 255.255.255.0

(Where x.x.x.x is the pix outside ip address).

Bye
Yizhar Hurwitz
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
713
Sameer258
Sameer258
Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
607
Johnkite
Johnkite
Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
737
Shmid
Shmid
intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
602
intel233
intel233
ISDPCMAN
  • Locked
  • Question
RDP fails over VPN
Replies
1
Views
213
gkittelson
gkittelson

Part and Inventory Search

Sponsor

Back
Top