VPN Connects however cannot browse 1

[loyalist]

Hi there,

I attempting to configure remote vpn access to my domain without using radius, only using vpn group authentication. I am able to connect via vpn(cisco client 4.0.2), get address from configured pool however cannot access internet or any domain resources once connected. Pix is directly connected to Cisco 3550 layer 2/3 switch. See packets sent from client however none recieved. Tried debugging and everything appears to be connecting okay. Added address pool vlan to switch and virtual interface for routing. Have tried natting pool addresses back out, tried adding route, etc. At one point were able to access some resources on lan, however not all, and have not been able to access internet at all. Here are the relevant parts of my config:

access-list 101 permit ip 10.100.50.0 255.255.255.0 10.100.40.0 255.255.255.0

ip local pool vpnpool 10.100.40.50-10.100.40.200
nat (inside) 0 access-list 101
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set vpnset esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set vpnset
crypto map vpnmap 10 ipsec-isakmp dynamic dynmap
crypto map vpnmap interface outside

isakmp enable outside
isakmp identity address
isakmp client configuration address-pool local vpnpool outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400

vpngroup test address-pool vpnpool
vpngroup test dns-server 10.100.50.5
vpngroup test default-domain test.com
vpngroup test idle-time 1800
vpngroup test password ********

Really not sure at all right now where problem is, traffic is reaching 3550 however not going anywhere from there, not able to access any other subnets which are directly connected to switch either.

Would really appreciate any advice.

Thanks in advance,

Loyalist

 

[loyalist]

Just as an update, blew away the vlan and the virtual interface on 3550 and am able to connect with vpn and browse one vlan on domain,can reach domain controller, able to do nslookups on dns server in same vlan, can connect to shares on file server in same vlan, can connect to internal web server as well.

However still cannot access other vlans,connect to the internet or reach mail server on dmz. Also unable to ping anything,even on the subnet that I can reach??

Added nat,static, and access list statements for vpn address pool and still no luck.

Can somebody please offer some advice.

 

[routerman]

For your clients to be able to access the Internet you will need to use Split Tunnelling. The PIX will not allow packets from the Client back out the same interface on which they were received. The split tunnel sets the client up to send some packets down the VPN, the rest out via their local connection to the Internet.

For the internal access to other VLAN's, have you got static routes configured in the PIX pointing to those subnets via a default gateway on the same subnet as the PIX?

Finally, pinging, this is controlled with an access list entry, it is probably dropping ICMP currently. Get back if you need more help.

 

[loyalist]

Hey Routerman,

Split tunneling works, I suspected it would however wanted to avoid if I could. If this is the default behavior of the pix then I will have to live with it but would prefer a work around. I currently have it enabled and it works fine.

In regards to routes on the pix, I have a route for the vpn addresses. I added a statement to the vpn access-list for subnets 100 and 75 and I am now able to browse subnet 100 and ping devices on it. however still cannot hit my dmz subnet(75), which is where my mail server and a couple of web servers reside.

This is what I have now on the pix:

access-list 101 permit ip 10.100.50.0 255.255.255.0 10.100.40.0 255.255.255.0 (hitcnt=6279)
access-list 101 permit ip 10.100.100.0 255.255.255.0 10.100.40.0 255.255.255.0 (hitcnt=44)
access-list 101 permit ip 10.100.75.0 255.255.255.0 10.100.40.0 255.255.255.0 (hitcnt=0)

access-list inside permit ip 10.100.40.0 255.255.255.0 any

ip local pool vpnpool 10.100.40.50-10.100.40.200

nat (inside) 0 access-list 101
nat (inside) 1 10.100.150.8 255.255.255.248 0 0
nat (inside) 1 10.100.50.0 255.255.255.0 0 0
nat (inside) 1 10.100.100.0 255.255.255.0 0 0
nat (dmz) 1 10.100.75.0 255.255.255.0 0 0
static (inside,dmz) 10.100.100.0 10.100.100.0 netmask 255.255.255.0 0 0
static (inside,dmz) 10.100.50.0 10.100.50.0 netmask 255.255.255.0 0 0
static (inside,dmz) 10.100.40.0 10.100.40.0 netmask 255.255.255.0 0 0

route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
route inside 10.100.40.0 255.255.255.0 10.100.150.10 1
route inside 10.100.50.0 255.255.255.0 10.100.150.10 1
route inside 10.100.100.0 255.255.255.0 10.100.150.10 1

sysopt connection permit-ipsec
no sysopt route dnat

crypto ipsec transform-set vpnset esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set vpnset
crypto map vpnmap 10 ipsec-isakmp dynamic dynmap
crypto map vpnmap interface outside
isakmp enable outside
isakmp identity address
isakmp client configuration address-pool local vpnpool outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup test address-pool vpnpool
vpngroup test dns-server 10.100.50.5
vpngroup test default-domain test.com
vpngroup test split-tunnel 101
vpngroup test idle-time 1800
vpngroup test password ********

As you can see, the access list statement I added to the vpn acl for the dmz is taking no hits but the one for the other subnet is, so at least that's one step forward. I added a vlan for vpn subnet to the 3550 and created a virtual interface for it however once I put an address on that svi I am unable to browse anywhere, I remove the address and I can browse everywhere except vlan 75. The 3550 is directly connected to both the inside interface and dmz interface on the pix, all internal traffic for the dmz is routed through the default route on the switch to the inside interface on the pix and then to the dmz interface and works fine for the existing subnets.

I need to find a way to get that vpn traffic into the dmz.

Any suggestions?

Thanks

 

[routerman]

Is your concern regarding split tunneling to do with restricting users direct Internet access? If so another solution is to use a proxy server on the inside network, your VPN users connect to that and the proxy connects to the Internet. As far as the PIX is concerned these are 2 seperate traffic streams.

The second problem, no access from the outside to your DMZ is down the static and ACL statements.
You need to allocate an unused address from the address space on the outside interface of the PIX, this will be the address that users connect to send mail to you. EG 167.34.5.6 is your Internet email IP address.

If your email server on the DMZ is 10.100.75.10, then the static and ACL would be

static (dmz,outside) 167.34.5.6 10.100.75.10 netmask 255.255.255.255
access-list outside permit tcp any host 167.34.5.6 eq smtp
access-group interface outside in

This should allow external access to your email server, apply the same logic for others in the DMZ.

For VPN users to access the mail server, I'm not so sure about this one, but I think the problem is down to the NAT (dmz) statement. You'll need a NAT (DMZ) 0 statement to exclude the traffic to the VPN clients from the NAT process, The reason you dont see any hits on ACL 101 for 10.100.75 0 to 10.100.40.0 is down to the fact 10.100.75.0 is on the DMZ, not the Inside network.

 

[loyalist]

Thanks Routerman, I do have statics on my outside interface for my mail server and web servers, they work fine. The only problem I am having is getting the vpn traffic into the dmz. I thought of the same solution you mention with the nat (dmz) 0 command, I created another access list this morning, access-list 102 permit ip 10.100.75.0 255.255.255.0 10.100.40.0 255.255.255.0, applied it to an additional nat statement, nat (dmz) 0 access-list 102, added an access list statement to my dmz, access-list dmz permit ip any 10.100.40.0 255.255.255.0, still cannot connect to that subnet. Then I removed a static statement I had allowing 10.100.40.0 from the inside to the dmz, thinking that may be the problem, however still no luck. Been surfing all morning since looking for a solution, this has to be possible, it seems to me this would be a common scenario, however can't seem to find any examples of people doing it.

 

[routerman]

I also have looked at all the PIX configs I've set up for my customers, and looked on CCO and all the tech reference books I have, I cannot find an example of what you want.

Are you getting any console messages about denied packets on ACL's, or have you tried the debug packet using the client and/or server address to see how far packets are getting?

Just one point, did you CLEAR XLATE when changing the static commands?

 

[loyalist]

I finally got it to work. I had a route for the vpn pool going inside, I removed it and also removed the seperate acl for the dmz nat 0 statement. I readded a rule to the original vpn access list to include the dmz subnet and then reapplied the nat statement to the dmz interface and it worked fine. I am going to go back in the pix and find out if was a combination of both or if I only had to do one them and also see what else I can clean up.

Thanks for your support, I will post my final config when it's clean.

 

[loyalist]

Here is my config in case anyone in the future needs to allow access to multiple subnets inside and dmz through vpn:

access-list 101 permit ip 10.100.50.0 255.255.255.0 10.100.40.0 255.255.255.0
access-list 101 permit ip 10.100.100.0 255.255.255.0 10.100.40.0 255.255.255.0
access-list 101 permit ip 10.100.75.0 255.255.255.0 10.100.40.0 255.255.255.0
access-list 101 permit ip 10.100.25.0 255.255.255.0 10.100.40.0 255.255.255.0
access-list 101 permit ip 10.100.125.0 255.255.255.0 10.100.40.0 255.255.255.0

access-list dmz permit ip any 10.100.40.0 255.255.255.0(this will be tightened up depending on what you need access to in the dmz)

ip local pool vpnpool 10.100.40.50-10.100.40.200

nat (inside) 0 access-list 101
nat (dmz) 0 access-list 101

route inside 10.100.25.0 255.255.255.0 10.100.150.10 1
route inside 10.100.50.0 255.255.255.0 10.100.150.10 1
route inside 10.100.100.0 255.255.255.0 10.100.150.10 1
route inside 10.100.125.0 255.255.255.0 10.100.150.10 1
(no route required for dmz access)

sysopt connection permit-ipsec
no sysopt route dnat

crypto ipsec transform-set vpnset esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set vpnset
crypto map vpnmap 10 ipsec-isakmp dynamic dynmap
crypto map vpnmap interface outside
isakmp enable outside
isakmp identity address
isakmp client configuration address-pool local vpnpool outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup test address-pool vpnpool
vpngroup test dns-server 10.100.50.5
vpngroup test default-domain test.com
vpngroup test split-tunnel 101
vpngroup test idle-time 1800
vpngroup test password ********

I have one remaining issue, I am not able to telnet into pix while connected with vpn, anyone have any ideas? I telnet to the inside interface when on the lan, however cannot get this to work using vpn subnet and cannot telnet to dmz interface either. Wondering if it is not possible to telnet to same device while using it for vpn access?