I am having trouble configuring a remote VPN client for a Cisco PIX 506. We had a contractor set up tunnels between our site and several others that work, but he did not set up anything for remote VPN clients. I am not very knowledgeable on configuring network devices, but I would like to get this working. Thus far I am just using the PDM and used the wizard to create the VPN. I can get connected and authenticated fine using a version 4.7 client, but once connected I cannot get to anything on the internal network (I had tried pinging the DNS servers at 192.168.12.5 and 192.168.12.6). I am sort of suspicious of the one line in the below config that seems (to my limited knowledge) to place associate part of our internal network with the outside interface. That line is "pdm location 192.168.12.0 255.255.255.192 outside".
Can someone look at this config and tell me what might be wrong? I would rather not wait until the consultant gets back from vacation next week to get this working.
Building configuration...
: Saved
:
PIX Version 6.3(4)
interface ethernet0 100full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ##hidden## encrypted
passwd ##hidden## encrypted
hostname WCS-PIX506
domain-name mydomain.com
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.12.5 RADIUS
object-group network ONE-NETS
network-object 192.168.50.0 255.255.255.0
network-object 192.168.1.0 255.255.255.0
network-object 172.31.0.0 255.255.255.0
network-object 172.29.9.0 255.255.255.0
object-group network TWO-NETS
network-object 192.168.8.0 255.255.252.0
object-group network WCS-NETS
network-object 192.168.12.0 255.255.255.0
object-group network REMOTE-NETS
group-object ONE-NETS
group-object TWO-NETS
object-group service VPN-Site2Site-TCP tcp
port-object eq www
port-object eq https
port-object eq imap4
port-object eq smtp
port-object eq domain
port-object eq telnet
port-object eq 135
port-object eq ldap
port-object eq 379
port-object eq 3268
object-group service VPN-Site2Site-UDP udp
port-object eq domain
port-object eq 135
access-list ACL-OUTSIDE permit icmp any any
access-list ACL-OUTSIDE permit tcp object-group REMOTE-NETS object-group WCS-NETS object-group VPN-Site2Site-TCP
access-list ACL-OUTSIDE permit udp object-group REMOTE-NETS object-group WCS-NETS object-group VPN-Site2Site-UDP
access-list ACL-OUTSIDE permit icmp object-group REMOTE-NETS object-group WCS-NETS
access-list ACL-OUTSIDE permit icmp any any echo-reply
access-list ACL-OUTSIDE permit icmp any any unreachable
access-list ACL-OUTSIDE permit icmp any any time-exceeded
access-list ACL-VPN-WCS2ONE permit ip object-group WCS-NETS object-group ONE-NETS
access-list NO-NAT permit ip object-group WCS-NETS object-group ONE-NETS
access-list NO-NAT permit ip object-group WCS-NETS object-group TWO-NETS
access-list NO-NAT permit ip any 192.168.12.0 255.255.255.192
access-list NO-NAT permit ip 192.168.12.0 255.255.254.0 192.168.14.0 255.255.255.128
access-list ACL-VPN-WCS2TWO permit ip object-group WCS-NETS object-group TWO-NETS
access-list WCS_users_splitTunnelAcl permit ip 192.168.12.0 255.255.254.0 any
access-list outside_cryptomap_dyn_580 permit ip any 192.168.14.0 255.255.255.128
pager lines 24
logging on
logging timestamp
logging buffered errors
logging trap debugging
logging history notifications
mtu outside 1500
mtu inside 1500
ip address outside 68.178.79.236 255.255.255.248
ip address inside 192.168.12.2 255.255.254.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit info action alarm
ip audit attack action alarm
ip local pool VPNPool 192.168.14.1-192.168.14.25
4 mask 255.255.255.0
pdm location 69.10.64.0 255.255.255.0 inside
pdm location 69.10.64.0 255.255.255.0 outside
pdm location 172.29.9.0 255.255.255.0 outside
pdm location 172.31.0.0 255.255.255.0 outside
pdm location 192.168.1.0 255.255.255.0 outside
pdm location 192.168.8.0 255.255.252.0 outside
pdm location 192.168.50.0 255.255.255.0 outside
pdm location RADIUS 255.255.255.255 inside
pdm location 192.168.12.0 255.255.255.0 inside
pdm location 192.168.14.0 255.255.255.128 outside
pdm location 192.168.12.0 255.255.255.192 outside
pdm group WCS-NETS inside
pdm group ONE-NETS outside
pdm group TWO-NETS outside
pdm logging warnings 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NO-NAT
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group ACL-OUTSIDE in interface outside
route outside 0.0.0.0 0.0.0.0 68.178.79.233 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa-server WCSDC01 protocol radius
aaa-server WCSDC01 max-failed-attempts 3
aaa-server WCSDC01 deadtime 10
aaa-server WCSDC01 (inside) host RADIUS ##hidden## timeout 10
aaa authentication telnet console LOCAL
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
ntp server 192.5.41.40 source outside
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set 3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map DYNMAP 500 set transform-set 3DES-MD5
crypto dynamic-map DYNMAP 520 set transform-set 3DES-MD5
crypto dynamic-map DYNMAP 540 set transform-set 3DES-MD5
crypto dynamic-map DYNMAP 560 set transform-set 3DES-MD5
crypto dynamic-map DYNMAP 580 match address outside_cryptomap_dyn_580
crypto dynamic-map DYNMAP 580 set transform-set 3DES-MD5
crypto map VPN-MAP-OUT 101 ipsec-isakmp
crypto map VPN-MAP-OUT 101 match address ACL-VPN-WCS2ONE
crypto map VPN-MAP-OUT 101 set peer 147.31.204.97
crypto map VPN-MAP-OUT 101 set transform-set ESP-3DES-MD5
crypto map VPN-MAP-OUT 102 ipsec-isakmp
crypto map VPN-MAP-OUT 102 match address ACL-VPN-WCS2TWO
crypto map VPN-MAP-OUT 102 set peer 216.143.158.99
crypto map VPN-MAP-OUT 102 set transform-set ESP-3DES-MD5
crypto map VPN-MAP-OUT 500 ipsec-isakmp dynamic DYNMAP
crypto map VPN-MAP-OUT client authentication RADIUS
crypto map VPN-MAP-OUT interface outside
isakmp enable outside
isakmp key ******** address 147.31.204.97 netmask 255.255.255.255
isakmp key ******** address 216.143.158.99 netmask 255.255.255.255
isakmp identity address
isakmp keepalive 10 3
isakmp nat-traversal 30
isakmp policy 3 authentication pre-share
isakmp policy 3 encryption 3des
isakmp policy 3 hash md5
isakmp policy 3 group 2
isakmp policy 3 lifetime 86400
vpngroup WCS_users address-pool VPNPool
vpngroup WCS_users dns-server WCSDC01 192.168.12.6
vpngroup WCS_users wins-server WCSDC01 192.168.12.6
vpngroup WCS_users default-domain myADdomain.com
vpngroup WCS_users split-tunnel WCS_users_splitTunnelAcl
vpngroup WCS_users idle-time 1800
vpngroup WCS_users password ********
telnet 192.168.12.0 255.255.255.0 inside
telnet timeout 5
ssh 69.10.64.0 255.255.255.0 outside
ssh 69.10.64.0 255.255.255.0 inside
ssh 192.168.12.0 255.255.255.0 inside
ssh timeout 10
management-access inside
console timeout 0
username ##user1## password ##hidden## encrypted privilege 15
username ##user2## password ##hidden## encrypted privilege 15
username ##user3## password ##hidden## encrypted privilege 15
terminal width 80
Cryptochecksum:##hidden##
: end
[OK]
Start Free Trial
