VPN Outside To Inside Addresses Help

[judgestone]

Here is my scenario that I am having problems with:

1. Users login to VPN using their vpn username and password as in config:

vpdn username XXXXX password *********

they obtain an ip address of: 192.168.60.XXX

The main pix ip address is 10.10.60.XXX and they could originally get anywhere on the 10.10.60.X network. All routes , etc were working no problem.

I have since created vlans for our network, and configured them in the VPN portion of the pix, and all networks can talk to each other, and get to the internet (Except for what Im about to ask or tell).

2. I configured an Access rule that allows (Outside)192.168.60.XXX to access (inside) 10.10.66.XXX (this subnet is where my files servers are located). Users can now logon to VPN and get to their files that are located on file servers. See config:

access-list outside_access_in permit ip VPNConnections 255.255.255.192 nssvrs 255.255.255.0

3. Here is my problem:

- As long as I leave this access rule in place, it changes my "NAT" to 10.10.66.X, versus dynamic 207.XXX.XXX.XXX and if I am on the server trying to access the internet, it will not allow me to, until I delete the access rule and change the NAT on the inside host address of 10.10.66.X, back to dynamic.

For now, this is really not a problem, due to the fact I still can access any resources internally and get from server to server, and all other vlans as long as it is internal; and I would rather my end user's be able to connect in versus me get out to Google from my servers.

The problem this is causing for me is I haven't yet put in an internal SUS server for Windows Updates, and I can't use Windows Update or Get my AV Updates from external sources to push out to my end user's.

Is there a way to allow the VPN user's access to my internal vlan 10.10.66.X and still have outside internet capabilites from the 10.10.66.X subnet? I can just delete and add the access rule as needed or put in an internal SUS server; but I haven't gotten that far, and my AV updates for my corporate server is what is bothering me.

Any help will be greatly appreciated.

 

[NetworkGhost]

Please post a scrubbed config. This will help in troubleshooting.

Free Firewall/Network/Systems Support-

http://firewalls.ath.cx:8080

 

[judgestone]

Here is my config:

Building configuration...
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password cJeHXX82LEJIszn0 encrypted
passwd cJeHXX82LEJIszn0 encrypted
hostname sens-nspix
domain-name sehardwood.com
clock timezone WAT 1
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.1.0 IMC
name 192.168.5.0 vlan5
name 10.10.62.0 SouthShore
name 10.10.68.0 nspcs
name 10.10.63.0 sssvrs
name 10.10.65.0 ssprinters
name 10.10.64.0 sspcs
name 10.10.67.0 nswireless
name 10.10.69.0 nsprinters
name 10.10.60.0 NorthShore
name 192.168.60.0 VPNConnections
name 10.10.66.0 nssvrs
object-group service FACTS tcp
port-object range 20000 20999
access-list inside_outbound_nat0_acl permit ip NorthShore 255.255.255.0 VPNConnections 255.255.255.192
access-list inside_outbound_nat0_acl permit ip NorthShore 255.255.255.0 IMC 255.255.255.0
access-list inside_outbound_nat0_acl permit ip NorthShore 255.255.255.0 sssvrs 255.255.255.0
access-list inside_outbound_nat0_acl permit ip NorthShore 255.255.255.0 sspcs 255.255.255.0
access-list inside_outbound_nat0_acl permit ip NorthShore 255.255.255.0 ssprinters 255.255.255.0
access-list inside_outbound_nat0_acl permit ip nssvrs 255.255.255.0 sssvrs 255.255.255.0
access-list inside_outbound_nat0_acl permit ip nssvrs 255.255.255.0 sspcs 255.255.255.0
access-list inside_outbound_nat0_acl permit ip nssvrs 255.255.255.0 ssprinters 255.255.255.0
access-list inside_outbound_nat0_acl permit ip nswireless 255.255.255.0 sssvrs 255.255.255.0
access-list inside_outbound_nat0_acl permit ip nswireless 255.255.255.0 sspcs 255.255.255.0
access-list inside_outbound_nat0_acl permit ip nswireless 255.255.255.0 ssprinters 255.255.255.0
access-list inside_outbound_nat0_acl permit ip nspcs 255.255.255.0 sssvrs 255.255.255.0
access-list inside_outbound_nat0_acl permit ip nspcs 255.255.255.0 sspcs 255.255.255.0
access-list inside_outbound_nat0_acl permit ip nspcs 255.255.255.0 ssprinters 255.255.255.0
access-list inside_outbound_nat0_acl permit ip nsprinters 255.255.255.0 sssvrs 255.255.255.0
access-list inside_outbound_nat0_acl permit ip nsprinters 255.255.255.0 sspcs 255.255.255.0
access-list inside_outbound_nat0_acl permit ip nsprinters 255.255.255.0 ssprinters 255.255.255.0
access-list inside_outbound_nat0_acl permit ip NorthShore 255.255.255.0 SouthShore 255.255.255.0
access-list inside_outbound_nat0_acl permit ip nspcs 255.255.255.0 SouthShore 255.255.255.0
access-list inside_outbound_nat0_acl permit ip nssvrs 255.255.255.0 SouthShore 255.255.255.0
access-list outside_cryptomap_20 permit ip NorthShore 255.255.255.0 IMC 255.255.255.0
access-list outside_access_in remark Ping
access-list outside_access_in permit tcp any any
access-list outside_access_in permit ip IMC 255.255.255.0 NorthShore 255.255.255.0
access-list outside_access_in permit ip VPNConnections 255.255.255.192 nssvrs 255.255.255.0
access-list outside_access_in remark Ping
access-list outside_cryptomap_40 permit ip NorthShore 255.255.255.0 SouthShore 255.255.255.0
access-list outside_cryptomap_40 permit ip NorthShore 255.255.255.0 sssvrs 255.255.255.0
access-list outside_cryptomap_40 permit ip interface inside sssvrs 255.255.255.0
access-list outside_cryptomap_40 permit ip NorthShore 255.255.255.0 sspcs 255.255.255.0
access-list outside_cryptomap_40 permit ip interface inside sspcs 255.255.255.0
access-list outside_cryptomap_40 permit ip NorthShore 255.255.255.0 ssprinters 255.255.255.0
access-list outside_cryptomap_40 permit ip interface inside ssprinters 255.255.255.0
access-list outside_cryptomap_40 permit ip nswireless 255.255.255.0 sssvrs 255.255.255.0
access-list outside_cryptomap_40 permit ip nswireless 255.255.255.0 sspcs 255.255.255.0
access-list outside_cryptomap_40 permit ip nswireless 255.255.255.0 ssprinters 255.255.255.0
access-list outside_cryptomap_40 permit ip nspcs 255.255.255.0 sssvrs 255.255.255.0
access-list outside_cryptomap_40 permit ip nspcs 255.255.255.0 sspcs 255.255.255.0
access-list outside_cryptomap_40 permit ip nspcs 255.255.255.0 ssprinters 255.255.255.0
access-list outside_cryptomap_40 permit ip nsprinters 255.255.255.0 sssvrs 255.255.255.0
access-list outside_cryptomap_40 permit ip nsprinters 255.255.255.0 sspcs 255.255.255.0
access-list outside_cryptomap_40 permit ip nsprinters 255.255.255.0 ssprinters 255.255.255.0
access-list outside_cryptomap_40 permit ip nspcs 255.255.255.0 SouthShore 255.255.255.0
access-list outside_cryptomap_40 permit ip nssvrs 255.255.255.0 sssvrs 255.255.255.0
access-list outside_cryptomap_40 permit ip nssvrs 255.255.255.0 SouthShore 255.255.255.0
access-list outside_cryptomap_40 permit ip nssvrs 255.255.255.0 sspcs 255.255.255.0
access-list outside_cryptomap_40 permit ip nssvrs 255.255.255.0 ssprinters 255.255.255.0
access-list vpn01 permit tcp any host 24.XXX.XXX.13 eq pptp
access-list vpn01 permit gre any host 24.XXX.XXX.13
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 209.17X.2XX.2XX 255.255.255.252
ip address inside 10.10.60.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool RemoteUsers 192.168.60.10-192.168.60.40
pdm location IMC 255.255.255.0 outside
pdm location SouthShore 255.255.255.0 outside
pdm location nspcs 255.255.255.0 inside
pdm location sssvrs 255.255.255.0 outside
pdm location sspcs 255.255.255.0 outside
pdm location ssprinters 255.255.255.0 outside
pdm location nswireless 255.255.255.0 inside
pdm location nsprinters 255.255.255.0 inside
pdm location VPNConnections 255.255.255.192 outside
pdm location nssvrs 255.255.255.0 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) nssvrs nssvrs netmask 255.255.255.0 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 209.17X.XXX.2XX 1
route inside nssvrs 255.255.255.0 10.10.60.254 1
route inside nswireless 255.255.255.0 10.10.60.254 1
route inside nspcs 255.255.255.0 10.10.60.254 1
route inside nsprinters 255.255.255.0 10.10.60.254 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http NorthShore 255.255.255.0 inside
http nspcs 255.255.255.0 inside
http nssvrs 255.255.255.0 inside
snmp-server location NorthShore
snmp-server contact XXXXX
snmp-server community XXXXX
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 69.2.73.50
crypto map outside_map 20 set transform-set ESP-DES-MD5
crypto map outside_map 40 ipsec-isakmp
crypto map outside_map 40 match address outside_cryptomap_40
crypto map outside_map 40 set peer 70.43.98.110
crypto map outside_map 40 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 69.XX.XX.XX netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address 70.XX.XX.XXX netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
isakmp policy 40 authentication pre-share
isakmp policy 40 encryption 3des
isakmp policy 40 hash md5
isakmp policy 40 group 2
isakmp policy 40 lifetime 86400
telnet nspcs 255.255.255.0 inside
telnet NorthShore 255.255.255.0 inside
telnet nssvrs 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
management-access outside
console timeout 0
vpdn group PPTP-VPDN-GROUP accept dialin pptp
vpdn group PPTP-VPDN-GROUP ppp authentication pap
vpdn group PPTP-VPDN-GROUP ppp authentication chap
vpdn group PPTP-VPDN-GROUP ppp authentication mschap
vpdn group PPTP-VPDN-GROUP ppp encryption mppe auto
vpdn group PPTP-VPDN-GROUP client configuration address local RemoteUsers
vpdn group PPTP-VPDN-GROUP client configuration dns 10.10.66.2 69.2.32.1
vpdn group PPTP-VPDN-GROUP pptp echo 60
vpdn group PPTP-VPDN-GROUP client authentication local
vpdn username sevpn1 password *********
vpdn username sevpn2 password *********
vpdn username sevpn3 password *********
vpdn username sevpn4 password *********
vpdn username sevpn5 password *********
vpdn username sevpn6 password *********
vpdn username sevpn7 password *********
vpdn username sevpn8 password *********
vpdn username sevpn9 password *********
vpdn username gregg password *********
vpdn username vpntest password *********
vpdn enable outside
vpdn enable inside
dhcpd address 10.10.60.200-10.10.60.254 inside
dhcpd dns 69.2.32.1 216.83.236.228
dhcpd lease 86400
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:9371c69e5cf8bf273359798307e43df8
: end
[OK]

 

[judgestone]

I tried switching the name 192.168.60.0 VPNConnections to name 192.168.66.0 VPNConnections to see if it would route to 10.10.66.0, to no avail. I still need to put in the access rule for it, and it breaks my NAT for 10.10.66.0 and my nssvrs still can't access the internet.

I can get around this by adding my SUS/AV Update server to sssvrs 10.10.64.0 and point all my subnets to it since it is on the inside interface and all subnets have a route to it, and it can also access the internet; but I prefer not to do this.

 

[judgestone]

Would downloading and installing Cisco VPN Client help in this matter? I believe I failed to mention the end user's are using Windows VPN setup to connect in the present setup.

 

[judgestone]

Got this working by removing the vpdn users and used the VPN Wizard and created a VPN group and all works fine for now.

 

[judgestone]

Also, I installed the Cisco VPN client on the end users laptops and configured the newly created VPN Group. I now have access to internal network and my servers can get access to the internet after removing the old access rule for the old vpdn users.