VPN Client to remote Pix501, via local Pix501

[rmeo]

Local Win98 Pc running Cisco VPN Client3.5 will connect to a remote Pix501 OK. If I change IP and put the Pc behind a local Pix501, then try to run a VPN connection to the remote Pix I seem to get a VPN connection but no traffic.
What do I configure on the local Pix to allow VPN traffic through?

Win98 Pc
192.168.0.79/24 (static w.x.y.75)
|
Pix501 local (ext w.x.y.73/29 int 192.168.0.1/24)
|
router
|
Pix 501 remote (ext t.u.v.68/26 int 192.168.0.1/24)
| (VPN serverIP t.u.v.68,
| VPN pool 192.168.1.1)
|
PC 192.168.0.76/24 (static t.u.v.76)

I would (rashly?) expect not to have to make config changes on the remote Pix as a 'direct' VPN connection works OK.
If I configure Win98 PC IP to that of local Pix w.x.y.73,
run VPN connection I can ping remote PC 192.168.0.76.

Current (relevent bits) attempt at config of local pix:-

fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
access-list 101 permit ip host t.u.v.68 host w.x.y.74
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any source-quench
access-list 101 permit icmp any any unreachable
access-list 101 permit icmp any any time-exceeded
access-list 101 permit esp host t.u.v.68 host w.x.y.75
access-list 101 permit ah host t.u.v.68 host w.x.y.75
access-list 101 permit udp host t.u.v.68 host w.x.y.75 eq isakmp
access-list 101 permit tcp host t.u.v.68 host w.x.y.75 eq www
access-list 101 permit ip host t.u.v.68 host w.x.y.75
interface ethernet0 10baset
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside w.x.y.73 255.255.255.248
ip address inside 192.168.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 w.x.y.74
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) w.x.y.75 192.168.0.79 netmask 255.255.255.255 0 0
access-group 101 in interface outside
route outside 0.0.0.0 0.0.0.0 w.x.y.78 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http 192.168.0.0 255.255.255.0 inside
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat

Really getting a bit stuck on this, any help much appreciated.
Ta, Rafe

 

[yizhar]

HI.


If you change the internal addressing (of local pix) to something other then 192.168.0.x you can eliminate some conflicts.

Your configuration (static and access-list) seems fine, so I guess that the problem is the conflict on 192.168.0.x

You can try to configure the local pix with Easy VPN (the local pix should have OS 6.2x).
Search Cisco and other websited for info about this new feature - I have not tried it yet myself.

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[rmeo]

Hi Yizar,
thanks for response, was about to post a follow up mentioning a change of the internal local pix ip, which I found allows traffic. I thought that disallowing local LAN access would have prevented any coflict. However trying to replicate this fix in another Pix config has proven problematic, so not convinced about having solved the problem as I can't yet really explain what's going on.
[as an aside, before changing the internal IP using ethereal saw ARP requests weren't being responded to, entering the MAC address of the remote PC as an arp alias on the local pix allowed traffic too - bit of a kludge]
Will investigate Easy VPN, haven't seen it mentioned on the Pix site, and believe me I've been searching that.
regards, Rafe

 

[bhansen32]

Easy VPN can be configured using the PDM version 2.11 and works quite well.