VPN client connects, can ping pix, but no internal pc's

[ajinc]

Hello All,
Fisrt Thanks for all the help given, it is greatly appreciated.
I can connect via vpn client to my pix, but I can't ping any internal pc's. I can ping the internal ip of the pix with no problem.
I am testing with 2 vpn clients, safenet softremote, and cisco v4.6. The cisco client connects, and all functions work ping, map drive, rdp etc.
The safenet client connects, but the log files tell me

30505 Not translation group found for tcp source outside 151.197.172.9/1777 dst inside 192.169.2.2/445

that happened when I tried to map a drive.
below is my config, any ideas are greatly appreciated.

PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password **************** encrypted
passwd **************** encrypted
hostname pixfirewall
domain-name ajinc.local
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list OUTSIDE_IN permit esp any any
access-list OUTSIDE_IN permit udp any any eq isakmp
access-list OUTSIDE_IN permit ah any any
access-list OUTSIDE_IN permit icmp any any
access-list OUTSIDE_IN permit tcp any any eq ftp
access-list OUTSIDE_IN permit tcp any any eq www
access-list outside_cryptomap_dyn_10 permit ip any 10.10.10.0 255.255.255.0
access-list split permit ip 192.169.2.0 255.255.255.0 10.10.10.0 255.255.255.0
pager lines 24
logging on
logging timestamp
logging trap informational
logging host inside 192.169.2.2
icmp permit any outside
mtu outside 1500
mtu inside 1500
ip address outside pppoe setroute
ip address inside 192.169.2.1 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit info action alarm
ip audit attack action alarm
ip local pool kgcpa 10.10.10.1-10.10.10.10
pdm location 192.169.2.0 255.255.255.0 inside
pdm location 10.10.10.0 255.255.255.0 outside
pdm location 10.10.10.0 255.255.255.255 inside
pdm location 10.10.10.0 255.255.255.0 inside
pdm location 192.169.2.2 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group OUTSIDE_IN in interface outside
route inside 10.10.10.0 255.255.255.0 192.169.2.0 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
ntp server 129.6.15.28 source outside prefer
http server enable
http 192.169.2.0 255.255.255.0 inside
http 10.10.10.0 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt connection permit-l2tp
service resetinbound
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 10 set pfs group2
crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 10 set security-association lifetime seconds 86400 kilobytes 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client configuration address initiate
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0 no-xauth
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup kgcpaipsec address-pool kgcpa
vpngroup kgcpaipsec dns-server 192.169.2.2
vpngroup kgcpaipsec default-domain ajinc.local
vpngroup kgcpaipsec split-tunnel split
vpngroup kgcpaipsec pfs
vpngroup kgcpaipsec idle-time 1800
vpngroup kgcpaipsec max-time 86400
vpngroup kgcpaipsec password ********
telnet timeout 5
ssh timeout 5
management-access inside
console timeout 0
vpdn group pppoe_group request dialout pppoe
vpdn group pppoe_group localname vze2zz73
vpdn group pppoe_group ppp authentication pap
vpdn username vze2q563 password *********
dhcpd address 192.169.2.10-192.169.2.41 inside
dhcpd dns 192.169.2.2 192.169.2.3
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain ajinc.local
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
: end

 

[mdjason]

WARNING: The 'access-list' statement:
'access-list OUTSIDE_IN permit esp any any'
allows esp traffic to initiate connections from the outside to a higher security
level interface, for any source and destination, whenever there is an active translation
in the PIX.
TRY THIS: These types of access-lists can be useful for testing in a lab environment,
but should be used with extreme care in a production environment. Check your security
policy.

WARNING: The 'access-list' statement:
'access-list OUTSIDE_IN permit ah any any'
allows ah traffic to initiate connections from the outside to a higher security
level interface, for any source and destination, whenever there is an active translation
in the PIX.
TRY THIS: These types of access-lists can be useful for testing in a lab environment,
but should be used with extreme care in a production environment. Check your security
policy.

WARNING: The 'access-list' statement:
'access-list OUTSIDE_IN permit icmp any any'
allows icmp traffic to initiate connections from the outside to a higher security
level interface, for any source and destination, whenever there is an active translation
in the PIX.
TRY THIS: These types of access-lists can be useful for testing in a lab environment,
but should be used with extreme care in a production environment. Check your security
policy.

WARNING: The following interfaces do not have associated 'route' commands:
outside
The PIX requires a static/default route for any destinations that are not directly
connected to these interfaces, assuming the PIX is not receiving a default RIP
route from a connected router on these interfaces.
TRY THIS: Configure a static/default route for those interfaces that need to access
non directly connected destinations using the configuration command, 'route if_name
ip_address netmask gateway_ip [metric]'.

WARNING: NTP servers have been configured but are using no authentication.
TRY THIS: For more secure timestamps, consider enabling ntp authentication with
the 'ntp authenticate' configuration command.

WARNING: You have NTP servers configured that exchange traffic over the least secure
interface, the outside interface.
TRY THIS: Make sure that you want to pass this type of traffic over the outside
interface.

WARNING: There are access-lists defined that are not applied in the configuration
with an 'access-group', 'crypto map', 'crypto dynamic-map', 'vpngroup {name} split-tunnel'
'nat 0', 'aaa accounting match', 'aaa authentication match', or 'aaa authorization
match' command:
access-list outside_cryptomap_dyn_10 permit ip any 10.10.10.0 255.255.255.0
TRY THIS: Make sure that these access-lists are required in your configuration.
(e.g. used for RADIUS authorization)

WARNING: (VPN) There are 'crypto map' statements in the configuration without a
'nat 0' statement.
Generally, IPsec traffic should be excluded from any NAT operation.
TRY THIS: The 'crypto map {map_name} {seq_no} match address {access_list}' command
is used to select traffic that will be protected by IPsec. The traffic selected
by this access list(s) should be excluded from NAT by using the 'nat 0' configuration
command. For example: 'nat (inside) 0 access-list 108'

INFO: The following interfaces have been set to autonegotiate their speed and
duplex settings:
ethernet0
NOTE: Even though the default is to set automatic speed sensing for the interfaces
with the 'interface hardware_id auto' command, Cisco recommends to specify the
speed of the network interfaces; for example, '10baset', '10full', '100basetx',
'100full', '1000basesx', or '1000sxfull'. This lets the PIX Firewall operate in
network environments that may include switches or other devices that do not handle
auto sensing correctly. If speed/duplex are hardcoded on the PIX, configure the
speed/duplex on the neighboring device also.

WARNING: The console is set to never timeout.
TRY THIS: Consider configuring a finite timeout for the console. For example, 'console
timeout 5' will configure a 5 minute timeout for the console.
REFERENCE: For more information, see 'Console timeout' command.

WARNING: There is no banner configured for this device.
TRY THIS: In some jurisdictions, civil and/or criminal prosecution of unauthorized
users is much easier when a banner warning them that their access is unauthorized.
Legal notification requirements are complex and these should be discussed with
your own legal counsel. Once the appropriate login warning has been developed for
your firewall, you may incorporate it into your unit for display before all interactive
logins with the 'banner login' configuration command.

 

[ajinc]

Thank you for this information. I'm new to the PIX / cisco equipment.
I was going to begin locking down once I had all the functions I needed working.

Again many thanks for your time & knowledge

 

[lgarner]

route inside 10.10.10.0 255.255.255.0 192.169.2.0 1"

What's the next hop for inbound traffic? It's not the network; it should be something like 192.168.2.2

 

[ajinc]

Thanks for the reply lgarner,
I am not sure what the "next hop" is.

Could you explain why you think it should be 192.168.2.2?

I thought the route stamnet would direct the vpn trafficc 10.10.01.0 to the internal netwwork 192.169.2.0

Thanks agian

 

[lgarner]

Next Hop" refers to the router to which packets should be sent for a certain network when that network is not connected to the sending host (the Pix in your case). In other words, how does the Pix know where to send packets for 10.10.1.0?

Since you have two networks (192.168.2.0 and 10.10.1.0), there must be a router between the Pix and the 10.10.1.0 network:

internet (pppoe)-- pix --192.168.2.0-- router --10.10.1.0

The "router" above will have an address on one interface of 192.168.2.something, and 10.10.1.something on the other interface. I just used "192.168.2.2" as an example since the Pix is using 192.168.2.1.

The 192.168.2.something is the address that the Pix needs to know. When it needs to send a packet to a host on 10.10.1.0 it will send it to the host with the IP address in its route statement. That host will forward it to the next host.

I just noticed also that you're using "192.169", which is not a private network. If that's the actuall address range that you're using, change my examples accordingly.

Also, the vpn client address pool should be on a separate address range. I assumed that you can't connect to 10.10.1.0 addresses, but this might be your problem if VPN clients can't get to 192.169.2.0 addresses.

 

[ajinc]

O.K. I see,
however my set up is like this

internet (pppoe)-- (ouside interface)-- pix (inside interface)--192.169.2.1 connects to a switch

I was using the pix as a firewall & router (only one on network)
I thought the 10.10.10.0 addreses were assigned to my vpn client when they connect.
Please correct me wher I am wrong.

Thanks

 

[lgarner]

Ahh, there it is. Missed it earlier.

Try this:
nat (0) 192.169.2.0 255.255.255.0 10.10.10.0 255.255.255.0

This will keep the Pix from translating that traffic to the outside address. Ignore my other comments :~/, except do remove the "route inside 10.10.10.0..." statement.

 

[ajinc]

Thanks for the idea,
when i insert this command I get this

Result of firewall command: "nat (0) 192.169.2.0 255.255.255.0 10.10.10.0 255.255.255.0"

ERROR: invalid NAT ID <192.169.2.0>
Usage: [no] nat [(<real_ifc>)] <nat-id>
{<real_ip> [<mask>]} | {access-list <acl_name>}
[dns] [norandomseq] [outside] [<max_conn> [<emb_limit>]]
Command failed

any thoughts are greatly appreciated

 

[ajinc]

Well here is where I am.
Quick overview of problem:

1. Using Safenet Softremote, or Cisco v 4.6 client I cannot connect to a VPN endpoint (a DLink 808 HV router)The PIX error log states that

192.169.2.1 Oct 03 2005 16:41:59: %PIX-6-302015: Built outbound UDP connection 750 for outside:151.196.142.42/500 (151.196.142.42/500) to inside:192.169.2.10/500 (141.157.14.15/5)
192.169.2.1 Oct 03 2005 16:41:59: %PIX-6-305011: Built dynamic UDP translation from inside:192.169.2.10/500 to outside:141.157.14.15/5
192.169.2.1 Oct 03 2005 16:41:59: %PIX-6-609001: Built local-host inside:192.169.2.10

The log for the safenet client states

10-03: 16:45:03.100 My Connections\KGCPA at ODENTON - Initiating IKE Phase 1 (IP ADDR=152.197.143.44)
10-03: 16:45:03.100 My Connections\KGCPA at ODENTON - SENDING>>>> ISAKMP OAK MM (SA, VID 2x)
10-03: 16:45:18.341 My Connections\KGCPA at ODENTON - message not received! Retransmitting!
10-03: 16:45:18.341 My Connections\KGCPA at ODENTON - SENDING>>>> ISAKMP OAK MM (Retransmission)
10-03: 16:45:33.362 My Connections\KGCPA at ODENTON - message not received! Retransmitting!
10-03: 16:45:33.362 My Connections\KGCPA at ODENTON - SENDING>>>> ISAKMP OAK MM (Retransmission)
10-03: 16:45:48.383 My Connections\KGCPA at ODENTON - message not received! Retransmitting!
10-03: 16:45:48.383 My Connections\KGCPA at ODENTON - SENDING>>>> ISAKMP OAK MM (Retransmission)
10-03: 16:46:03.404 My Connections\KGCPA at ODENTON - Exceeded 3 IKE SA negotiation attempts

The cisco client errors out with
error 412 the remote peer is no longer responding


This problem is strange, because I thought the PIX would let any outbound traffic to the internet. I this senario I am just using the PIX as a router for internet traffic. If I replace the PIX with another router the connection is established with both vpn clients.

My 2nd issue is that when using the PIX as a VPN endpoint I can connect with both clients safenet, and cisco, but the safenet client will not let me ping past the inside interface "192.169.2.1", any other ip addreses in this range do not reply unless I am using the cisco client then all works well.
As I stated earlier I removed the "route 10.10.10.0" statement, and I tried the "nat (0) 192.169.2.0 255.255.255.0 10.10.10.0 255.255.255.0, and I get an error on this

Result of firewall command: "nat (0) 192.169.2.0 255.255.255.0 10.10.10.0 255.255.255.0"

ERROR: invalid NAT ID <192.169.2.0>
Usage: [no] nat [(<real_ifc>)] <nat-id>
{<real_ip> [<mask>]} | {access-list <acl_name>}
[dns] [norandomseq] [outside] [<max_conn> [<emb_limit>]]
Command failed

Below is my present config Thanks for any additional ideas.


PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password **************** encrypted
passwd **************** encrypted
hostname pixfirewall
domain-name ajinc.local
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list OUTSIDE_IN permit esp any any
access-list OUTSIDE_IN permit udp any any eq isakmp
access-list OUTSIDE_IN permit ah any any
access-list OUTSIDE_IN permit icmp any any
access-list outside_cryptomap_dyn_10 permit ip any 10.10.10.0 255.255.255.0
access-list split permit ip 192.169.2.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip any 10.10.10.0 255.255.255.0
pager lines 24
logging on
logging timestamp
logging trap informational
logging host inside 192.169.2.2
icmp permit any outside
mtu outside 1500
mtu inside 1500
ip address outside pppoe setroute
ip address inside 192.169.2.1 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit info action alarm
ip audit attack action alarm
ip local pool kgcpa 10.10.10.1-10.10.10.10
pdm location 192.169.2.0 255.255.255.0 inside
pdm location 10.10.10.0 255.255.255.0 outside
pdm location 10.10.10.0 255.255.255.255 inside
pdm location 10.10.10.0 255.255.255.0 inside
pdm location 192.169.2.2 255.255.255.255 inside
pdm location 141.157.0.0 255.255.0.0 outside
pdm location 151.196.0.0 255.255.255.0 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group OUTSIDE_IN in interface outside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
ntp server 129.6.15.28 source outside prefer
http server enable
http 192.169.2.0 255.255.255.0 inside
http 10.10.10.0 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt connection permit-l2tp
service resetinbound
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 10 set pfs group2
crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 10 set security-association lifetime seconds 86400 kilobytes 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client configuration address initiate
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0 no-xauth
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup kgcpaipsec address-pool kgcpa
vpngroup kgcpaipsec dns-server 192.169.2.2 151.196.0.38
vpngroup kgcpaipsec default-domain ajinc.local
vpngroup kgcpaipsec split-tunnel split
vpngroup kgcpaipsec pfs
vpngroup kgcpaipsec idle-time 1800
vpngroup kgcpaipsec max-time 86400
vpngroup kgcpaipsec password ********
telnet timeout 5
ssh timeout 5
management-access inside
console timeout 0
vpdn group pppoe_group request dialout pppoe
vpdn group pppoe_group localname vze2q563
vpdn group pppoe_group ppp authentication pap
vpdn username vze2a263 password *********
dhcpd address 192.169.2.10-192.169.2.41 inside
dhcpd dns 192.169.2.2 192.169.2.3
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain ajinc.local
dhcpd auto_config outside
dhcpd enable inside
terminal width 80

 

[ajinc]

P.S.
Concerning problem 2 I get this message in the PIX error log when I get the safenet client to connect to the pix, but can't ping past the pix interface

192.169.2.1 Oct 03 2005 17:28:48: %PIX-3-305005: No translation group found for icmp src outside:141.157.58.22 dst inside:192.169.2.2 (type 8, code 0)
192.169.2.1 Oct 03 2005 17:28:24: %PIX-3-305005: No translation group found for icmp src outside:141.157.58.22 dst inside:192.169.2.2 (type 8, code 0)
192.169.2.1 Oct 03 2005 17:28:19: %PIX-3-305005: No translation group found for icmp src outside:141.157.58.22 dst inside:192.169.2.2 (type 8, code 0)
192.169.2.1 Oct 03 2005 17:28:14: %PIX-3-305005: No translation group found for icmp src outside:141.157.58.22 dst inside:192.169.2.2 (type 8, code 0)
192.169.2.1 Oct 03 2005 17:28:09: %PIX-3-305005: No translation group found for icmp src outside:141.157.58.22 dst inside:192.169.2.2 (type 8, code 0)


Thank You

 

[julianmd]

Try this

nat (inside) 0 192.169.2.0 255.255.255.0 10.10.10.0 255.255.255.0

Please post back the results

Julian Dragut

 

[ajinc]

julianmd,
Thanks for the idea unfortunately I get this response from the pix

Result of firewall command: "nat (inside) 0 192.169.2.0 255.255.255.0 10.10.10.0 255.255.255.0"

ERROR: invalid connection limit <10.10.10.0>
Usage: [no] nat [(<real_ifc>)] <nat-id>
{<real_ip> [<mask>]} | {access-list <acl_name>}
[dns] [norandomseq] [outside] [<max_conn> [<emb_limit>]]
Command failed
Any other ideas are greatly appreciated