Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Westi on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

VPN Question

Status
Not open for further replies.
Tspiritstorm

Tspiritstorm

IS-IT--Management
Aug 24, 2003
7
US
I have my VPN set up between my customer who is using Symantec FW and my PIX 515E. The Tunnels are up and active and everything seems to be grovy. I can ping the machines within the VPN but I can't seem to use Terminal Services through the tunnel. By default the PIX creates a ACL allowing outbound traffic correct? And I almost get the feeling that my PIX is trying to make the connection through the normal ACL instead of VPN tunnel.. any thoughts?

interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
name 192.168.1.13 Web02
name 192.168.1.11 NS01
access-list ping_acl permit icmp any any
access-list acl_out permit icmp any any
access-list acl_out permit tcp any host xxx.xxx.xxx.xxx eq www
access-list acl_out permit tcp any host xxx.xxx.xxx.xxx eq 3389
access-list acl_out permit tcp any host xxx.xxx.xxx.xxx eq 3390
access-list acl_out permit tcp any host xxx.xxx.xxx.xxx eq https
access-list acl_out permit tcp any host xxx.xxx.xxx.xxx eq smtp
access-list acl_out permit tcp any host xxx.xxx.xxx.xxx eq ftp-data
access-list acl_out permit tcp any host xxx.xxx.xxx.xxx eq ftp
access-list acl_out permit tcp any host xxx.xxx.xxx.xxx eq ssh
access-list acl_out permit tcp any host xxx.xxx.xxx.xxx eq 873
access-list acl_out permit tcp any host xxx.xxx.xxx.xxx eq 4899
access-list acl_out permit tcp any host xxx.xxx.xxx.xxx eq 4899
access-list acl_out permit tcp any host xxx.xxx.xxx.xxx eq 873
access-list acl_out permit tcp any host xxx.xxx.xxx.xxx eq ssh
access-list acl_out permit tcp any host xxx.xxx.xxx.xxx eq ftp
access-list acl_out permit tcp any host xxx.xxx.xxx.xxx eq ftp-data
access-list acl_out permit tcp any host xxx.xxx.xxx.xxx eq smtp
access-list acl_out permit tcp any host xxx.xxx.xxx.xxx eq https
access-list acl_out permit tcp any host xxx.xxx.xxx.xxx eq 3390
access-list acl_out permit tcp any host xxx.xxx.xxx.xxx eq 3389
access-list acl_out permit tcp any host xxx.xxx.xxx.xxx eq www
access-list 101 permit ip 192.168.1.0 255.255.255.0 130.1.0.0 255.255.0.0
pager lines 24
logging buffered debugging
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside xxx.xxx.xxx.xxx 255.255.255.224
ip address inside 192.168.1.1 255.255.255.0
ip address dmz 192.168.20.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 xxx.xxx.xxx.xxx
global (dmz) 1 192.168.1.100-192.168.1.200
nat (inside) 0 access-list 101
static (inside,outside) xxx.xxx.xxx.xxx Web02 netmask 255.255.255.255 0 0
static (inside,outside) xxx.xxx.xxx.xxx NS01 netmask 255.255.255.255 0 0
access-group acl_out in interface outside
access-group ping_acl in interface inside
access-group ping_acl in interface dmz
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 2
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http Web02 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set single esp-3des esp-md5-hmac
crypto map pix2sef 10 ipsec-isakmp
crypto map pix2sef 10 match address 101
crypto map pix2sef 10 set peer xxx.xxx.xxx.xxx
crypto map pix2sef 10 set transform-set single
crypto map pix2sef interface outside
isakmp enable outside
isakmp key ******** address xxx.xxx.xxx.xxx netmask 255.xxx.xxx.xxx
isakmp identity address
isakmp policy 5 authentication pre-share
isakmp policy 5 encryption 3des
isakmp policy 5 hash md5
isakmp policy 5 group 1
isakmp policy 5 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
 
Sort by date Sort by votes
your ACL is blockcing all outbound non-icmp traffic

access-list ping_acl permit icmp any any

Remove the ACL from the inside interface and it should work.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
647
intel233
intel233
ISDPCMAN
  • Locked
  • Question
RDP fails over VPN
Replies
1
Views
230
gkittelson
gkittelson
Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
792
Shmid
Shmid
WhosYourDiffie
  • Locked
  • Question
Cisco ASA 5506 VPN for Avaya Phones
Replies
0
Views
176
WhosYourDiffie
WhosYourDiffie
ITSUPPORTIT
  • Locked
  • Question
VPN from ASA 5510 and RV215W problem
Replies
0
Views
153
ITSUPPORTIT
ITSUPPORTIT

Part and Inventory Search

Sponsor

Back
Top